Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
Analysis ID:1379909
MD5:6b7465de74c38692e7072c1f48c13782
SHA1:5d918f8945b66044b3833fbfd7c6e540421866a4
SHA256:0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
Tags:CoinMinerexe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Adds a directory exclusion to Windows Defender
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Stops critical windows services
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe (PID: 1984 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe MD5: 6B7465DE74C38692E7072C1F48C13782)
    • dialer.exe (PID: 5952 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • svchost.exe (PID: 2440 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 992 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1232 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1324 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 5640 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WmiPrvSE.exe (PID: 5560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cmd.exe (PID: 3496 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1628 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1576 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 1784 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 2284 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • sc.exe (PID: 3620 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
  • cmd.exe (PID: 1412 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4676 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 6552 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 6768 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • powercfg.exe (PID: 6076 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
  • WindowsAutHost (PID: 2284 cmdline: C:\Program Files\WindowsServices\WindowsAutHost MD5: 6B7465DE74C38692E7072C1F48C13782)
  • powershell.exe (PID: 6076 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5744 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Operating System Destruction

barindex
Sigma detected: Stop multiple services
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 3496, ProcessName: cmd.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Program Files\WindowsServices\WindowsAutHostAvira: detection malicious, Label: HEUR/AGEN.1325655
Source: C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmpAvira: detection malicious, Label: RKIT/Agent.diumn
Multi AV Scanner detection for dropped file
Source: C:\Program Files\WindowsServices\WindowsAutHostReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmpReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeReversingLabs: Detection: 18%
Machine Learning detection for dropped file
Source: C:\Program Files\WindowsServices\WindowsAutHostJoe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeDirectory created: C:\Program Files\WindowsServices\Jump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000023.00000000.2226202443.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000023.00000000.2226202443.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ~1.PDB @ source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: lsass.exe, 00000018.00000000.2162632938.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
Source: lsass.exe, 00000018.00000000.2162406140.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162458854.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000018.00000000.2162632938.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000003.2167180268.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162854714.00000140AE0C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000018.00000000.2162996955.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000018.00000000.2162406140.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162458854.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000018.00000000.2162632938.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000003.2167180268.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162854714.00000140AE0C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000018.00000000.2162996955.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162458854.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000018.00000000.2162632938.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000003.2167180268.00000140AD8C0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162854714.00000140AE0C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000018.00000000.2162996955.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.42.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000018.00000000.2161955084.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 00000018.00000000.2162632938.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162406140.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162854714.00000140AE0C1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162458854.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000018.00000000.2162996955.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000018.00000000.2162632938.00000140AE09D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162854714.00000140AE151000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000028.00000000.2239631619.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2161955084.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000018.00000000.2162996955.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2162996955.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0

Spam, unwanted Advertisements and Ransom Demands

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

System Summary

barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .-zo
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .]24
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .j+f
Source: WindowsAutHost.0.drStatic PE information: section name: .-zo
Source: WindowsAutHost.0.drStatic PE information: section name: .]24
Source: WindowsAutHost.0.drStatic PE information: section name: .j+f
Uses powercfg.exe to modify the power settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_qsduz5tt.rpa.ps1
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmp F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
Source: bybyvhosusgk.tmp.0.drStatic PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: WindowsAutHost.0.drStatic PE information: Number of sections : 15 > 10
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: Number of sections : 15 > 10
Source: bybyvhosusgk.tmp.0.drBinary string: SOFTWARE\dialerconfigstartuppidprocess_namespathsservice_namestcp_localtcp_remoteudp\\?\NtQueryObjectntdll.dllNtQuerySystemInformationNtResumeThreadNtQueryDirectoryFileNtQueryDirectoryFileExNtEnumerateKeyNtEnumerateValueKeyEnumServiceGroupWadvapi32.dllEnumServicesStatusExWsechost.dllNtDeviceIoControlFile\\.\pipe\dialerchildproc64\\.\pipe\dialerchildproc32\\.\pipe\\Device\Nsidialer@
Source: classification engineClassification label: mal100.adwa.spyw.evad.winEXE@39/15@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile created: C:\Program Files\WindowsServices\Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile created: C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\WindowsServices\WindowsAutHost C:\Program Files\WindowsServices\WindowsAutHost
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvcJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvcJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeDirectory created: C:\Program Files\WindowsServices\Jump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic file information: File size 18746368 > 1048576
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: Raw size of .j+f is bigger than: 0x100000 < 0x11df800
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000023.00000000.2226202443.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000023.00000000.2226202443.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ~1.PDB @ source: svchost.exe, 00000023.00000000.2226202443.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000023.00000000.2226161926.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000023.00000000.2226243521.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .j+f
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .xdata
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .r/P
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .-zo
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .]24
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeStatic PE information: section name: .j+f
Source: WindowsAutHost.0.drStatic PE information: section name: .xdata
Source: WindowsAutHost.0.drStatic PE information: section name: .r/P
Source: WindowsAutHost.0.drStatic PE information: section name: .-zo
Source: WindowsAutHost.0.drStatic PE information: section name: .]24
Source: WindowsAutHost.0.drStatic PE information: section name: .j+f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile created: C:\Program Files\WindowsServices\WindowsAutHostJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile created: C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile created: C:\Program Files\WindowsServices\WindowsAutHostJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BYBYVHOSUSGK.TMP
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeMemory written: PID: 1984 base: 7FF8C8A50008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeMemory written: PID: 1984 base: 7FF8C88ED9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeMemory written: PID: 1984 base: 7FF8C8A6000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeMemory written: PID: 1984 base: 7FF8C891CBC0 value: E9 5A 34 14 00 Jump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostMemory written: PID: 2284 base: 7FF8C8A50008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostMemory written: PID: 2284 base: 7FF8C88ED9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe, 00000000.00000002.2163816753.000000CA07FFB000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe, 00000000.00000002.2163895108.000002A2529C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe, 00000000.00000002.2163816753.000000CA07FFB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL{
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeSpecial instruction interceptor: First address: 00007FF702EBDCE4 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeSpecial instruction interceptor: First address: 00007FF702EBDCF2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Program Files\WindowsServices\WindowsAutHostSpecial instruction interceptor: First address: 00007FF60787DCE4 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Program Files\WindowsServices\WindowsAutHostSpecial instruction interceptor: First address: 00007FF60787DCF2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3566Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5520Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1234Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8293Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 6292Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 3209Jump to behavior
Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9818Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9545Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9533Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9962Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9963Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 8586Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9965Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9967Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4744
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9966Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9917Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep count: 3566 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep count: 5520 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7064Thread sleep count: 1234 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7064Thread sleep time: -1234000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7064Thread sleep count: 8293 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7064Thread sleep time: -8293000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2172Thread sleep count: 6292 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2172Thread sleep time: -6292000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2172Thread sleep count: 3209 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2172Thread sleep time: -3209000s >= -30000sJump to behavior
Source: C:\Windows\System32\dwm.exe TID: 616Thread sleep count: 9818 > 30Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 616Thread sleep time: -9818000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2696Thread sleep count: 9545 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2696Thread sleep time: -9545000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5944Thread sleep count: 9533 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5944Thread sleep time: -9533000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5648Thread sleep count: 9962 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5648Thread sleep time: -9962000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6760Thread sleep count: 9963 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6760Thread sleep time: -9963000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6600Thread sleep count: 8586 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6600Thread sleep time: -8586000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2296Thread sleep count: 9965 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2296Thread sleep time: -9965000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1848Thread sleep count: 9967 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1848Thread sleep time: -9967000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep count: 4453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep count: 4744 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1628Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5740Thread sleep count: 9966 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5740Thread sleep time: -9966000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7088Thread sleep count: 9917 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7088Thread sleep time: -9917000s >= -30000sJump to behavior
Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\powercfg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: svchost.exe, 00000025.00000000.2232161540.00000205FBEAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000025.00000000.2230492429.00000205FBA12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000025.00000000.2228957453.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000025.00000000.2228979978.00000205FAC43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
Source: svchost.exe, 00000022.00000000.2207137091.00000254A202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000025.00000000.2230492429.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000001D.00000000.2173122552.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
Source: dwm.exe, 0000001D.00000000.2173122552.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
Source: svchost.exe, 00000025.00000000.2230492429.00000205FBA12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
Source: svchost.exe, 00000025.00000000.2232161540.00000205FBEAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000025.00000000.2230492429.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 00000025.00000003.3086464660.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: lsass.exe, 00000018.00000000.2161893524.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2166657191.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000000.2195921956.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.2196923246.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000022.00000000.2207471825.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.2228957453.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dwm.exe, 0000001D.00000000.2173122552.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000025.00000000.2229029357.00000205FAC96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
Source: lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000025.00000000.2230492429.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000025.00000000.2230492429.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000025.00000000.2230116659.00000205FB933000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
Source: svchost.exe, 00000025.00000003.3086464660.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000025.00000003.3086464660.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value)
Source: svchost.exe, 0000001C.00000003.2829533455.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000020.00000000.2196857926.000001CA97800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000018.00000000.2162036408.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000025.00000003.3086464660.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: svchost.exe, 00000025.00000003.3085436210.00000205FBA44000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
Source: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe, 00000000.00000002.2166736054.00007FF700F9A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: }hGfs
Source: svchost.exe, 00000025.00000000.2230267015.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: svchost.exe, 00000025.00000003.3086464660.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000025.00000003.3086464660.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostThread information set: HideFromDebuggerJump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeHandle closed: DEADC0DE
Source: C:\Program Files\WindowsServices\WindowsAutHostHandle closed: DEADC0DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostProcess queried: DebugPortJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\WindowsServices\WindowsAutHostProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -ForceJump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeSection loaded: C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmp target: C:\Windows\System32\dialer.exe protection: readonlyJump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeThread register set: target process: 5952Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeMemory written: C:\Windows\System32\dialer.exe base: 2C5AA0F010Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvcJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
Source: winlogon.exe, 00000013.00000000.2158686722.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001D.00000000.2171437227.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001D.00000000.2170804798.0000011605AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: winlogon.exe, 00000013.00000000.2158686722.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001D.00000000.2171437227.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000013.00000000.2158686722.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001D.00000000.2171437227.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: winlogon.exe, 00000013.00000000.2158686722.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000001D.00000000.2171437227.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
Stops critical windows services
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop dosvc

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
Valid Accounts2
Windows Management Instrumentation		1
Windows Service		1
Windows Service		12
Masquerading		1
Credential API Hooking		621
Security Software Discovery		Remote Services1
Credential API Hooking		Exfiltration Over Other Network MediumData ObfuscationExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
Default Accounts1
Service Execution		1
DLL Side-Loading		312
Process Injection		1
File and Directory Permissions Modification		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataSIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
Domain AccountsAtLogon Script (Windows)1
DLL Side-Loading		2
Disable or Modify Tools		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyData Encrypted for ImpactDNS ServerEmail Addresses
Local AccountsCronLogin HookLogin Hook241
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names
Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script312
Process Injection		LSA Secrets1
Remote System Discovery		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials132
System Information Discovery		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
External Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1379909 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 23/01/2024 Architecture: WINDOWS Score: 100 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 7 other signatures 2->60 8 SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe 4 2->8         started        12 WindowsAutHost 2->12         started        14 cmd.exe 1 2->14         started        16 4 other processes 2->16 process3 file4 48 C:\Users\user\AppData\...\bybyvhosusgk.tmp, PE32+ 8->48 dropped 50 C:\Program Files\...\WindowsAutHost, PE32+ 8->50 dropped 52 C:\Windows\System32\drivers\etc\hosts, ASCII 8->52 dropped 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->62 64 Query firmware table information (likely to detect VMs) 8->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->66 78 7 other signatures 8->78 18 dialer.exe 8->18         started        68 Tries to detect debuggers (CloseHandle check) 12->68 70 Hides threads from debuggers 12->70 72 Uses powercfg.exe to modify the power settings 14->72 74 Stops critical windows services 14->74 76 Modifies power options to not sleep / hibernate 14->76 20 sc.exe 1 14->20         started        22 conhost.exe 14->22         started        24 sc.exe 1 14->24         started        32 3 other processes 14->32 26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 powercfg.exe 1 16->30         started        34 5 other processes 16->34 signatures5 process6 process7 36 lsass.exe 18->36 injected 38 winlogon.exe 18->38 injected 40 dwm.exe 18->40 injected 44 11 other processes 18->44 42 conhost.exe 20->42         started        process8 46 svchost.exe 36->46 injected

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe18%ReversingLabsWin64.Trojan.Generic
SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe100%AviraHEUR/AGEN.1325655
SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\WindowsServices\WindowsAutHost100%AviraHEUR/AGEN.1325655
C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmp100%AviraRKIT/Agent.diumn
C:\Program Files\WindowsServices\WindowsAutHost100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmp100%Joe Sandbox ML
C:\Program Files\WindowsServices\WindowsAutHost18%ReversingLabsWin32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmp92%ReversingLabsWin64.Trojan.SilentCryptoMiner

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.micro0%URL Reputationsafe
http://3csp.icrosof4m/ocp00%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000018.00000000.2161955084.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
    		high
    http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
      		high
      http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
        		high
        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000018.00000000.2161955084.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
          		high
          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.microsvchost.exe, 00000028.00000000.2239631619.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://3csp.icrosof4m/ocp0lsass.exe, 00000018.00000000.2162632938.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000018.00000000.2161917431.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:39.0.0 Ruby
                    Analysis ID:1379909
                    Start date and time:2024-01-23 23:29:10 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:31
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:15
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                    Detection:MAL
                    Classification:mal100.adwa.spyw.evad.winEXE@39/15@0/0
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
                    • Excluded IPs from analysis (whitelisted): 13.85.23.86, 23.40.205.80, 23.40.205.81, 23.40.205.73
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    23:30:11API Interceptor61x Sleep call for process: powershell.exe modified
                    23:30:14Task SchedulerRun new task: WindowsAutHost path: %ProgramFiles%\WindowsServices\WindowsAutHost
                    23:30:46API Interceptor589813x Sleep call for process: winlogon.exe modified
                    23:30:48API Interceptor347676x Sleep call for process: svchost.exe modified
                    23:30:50API Interceptor566145x Sleep call for process: dwm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmpfile.exeGet hashmaliciousRHADAMANTHYS, RedLine, XmrigBrowse
                      WinrarInstaller.exeGet hashmaliciousXmrigBrowse
                        rBlNbC4I6Y.exeGet hashmaliciousXmrigBrowse
                          0ee4d15340837e26bed18e42753a157b.exeGet hashmaliciousXmrigBrowse
                            vHAgn4Dx00.exeGet hashmaliciousAveMaria, UACMe, XmrigBrowse
                              Readme.txt.lnkGet hashmaliciousAveMaria, UACMe, XmrigBrowse
                                PCjhei1nW5.exeGet hashmaliciousXmrigBrowse

                                  Created / dropped Files

                                  C:\Program Files\WindowsServices\WindowsAutHost

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                  Category:dropped
                                  Size (bytes):18746368
                                  Entropy (8bit):7.903553313262754
                                  Encrypted:false
                                  SSDEEP:393216:1zkQk7KRrH/mW+0hvqXplKlu+ny9VQkpukHb+:15k+9mlXplKUekph
                                  MD5:6B7465DE74C38692E7072C1F48C13782
                                  SHA1:5D918F8945B66044B3833FBFD7C6E540421866A4
                                  SHA-256:0F975DE9620A33D9CE23D0754E248F1FFA6F1C4A572BC2B4DC8B6B6736D70E10
                                  SHA-512:A71531311153A0AE785CE2130BBF3F4B07CEDF884DA7D3F9B8377749DA37E3A57CCDCD41E72350986E981C19DB4E153F0EA494874CA8F3F68AE4FC36BDE85672
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 18%
                                  Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(........8.............@.............................@5...........`... ..............................................#..d....05.......4..0........... 5.................................(.......................h............................text...............................`..`.data..............................@....rdata..@<..........................@..@.pdata.............................@..@.xdata..............................@..@.bss.....8..............................idata..<....0......................@....CRT....`....@......................@....tls.........P......................@....r/P.........`......................@..@.-zo......{..p...................... ..`.]24....H...........................@....j+f......... ......................`..h.reloc....... 5.....................@..@.rsrc........05.....................@..@........

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1510207563435464
                                  Encrypted:false
                                  SSDEEP:3:Nlllullkv/tz:NllU+v/
                                  MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                  SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                  SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                  SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                  Malicious:false
                                  Preview:@...e................................................@..........

                                  C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):338
                                  Entropy (8bit):3.9334826464221773
                                  Encrypted:false
                                  SSDEEP:6:kKw0rsNl23ibt3rMUblaJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:Drsg3IbTkPlE99SCQl2DUevat
                                  MD5:56743A8A6A63AC2E79BCEA2625E4E397
                                  SHA1:FCE1A585F41643598B24EC4471663569910B1C60
                                  SHA-256:20CA1AA75E3320F95A2D0E6E1BC37A574B0619A2EF6329712D3B70D2CBC783BC
                                  SHA-512:21597D433F97501CC6C49131E895F022A03EC4AF916E827F88BF96CB5E29D6D57DCFDB88B30D18C8177D180C2147EC1C7A5F1A00377D5D6A000CCEB64C0BDEFF
                                  Malicious:false
                                  Preview:p...... ..........KN..(...............u<...M..u...KN..u.p.:N..........u...KN.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fmgwlyi.ria.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52gxnrms.ngz.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crgcftdr.0l4.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcberljd.pmx.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\bybyvhosusgk.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):161792
                                  Entropy (8bit):5.8318794599287465
                                  Encrypted:false
                                  SSDEEP:3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
                                  MD5:1667C96053EAA078109F8B0C9500FC9D
                                  SHA1:E0F567763BAAAA757F66F96951D9810F45F69F30
                                  SHA-256:F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
                                  SHA-512:6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 92%
                                  Joe Sandbox View:
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: WinrarInstaller.exe, Detection: malicious, Browse
                                  • Filename: rBlNbC4I6Y.exe, Detection: malicious, Browse
                                  • Filename: 0ee4d15340837e26bed18e42753a157b.exe, Detection: malicious, Browse
                                  • Filename: vHAgn4Dx00.exe, Detection: malicious, Browse
                                  • Filename: Readme.txt.lnk, Detection: malicious, Browse
                                  • Filename: PCjhei1nW5.exe, Detection: malicious, Browse
                                  Preview:MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\ldkzlenxahrh.xml

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1495
                                  Entropy (8bit):5.097058147041012
                                  Encrypted:false
                                  SSDEEP:24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEBttn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEJ
                                  MD5:0BA5485BB734483955E9BE0487BBB20A
                                  SHA1:88984B30448F9E148B0CA46FE485794ADAB0EC9E
                                  SHA-256:74AB541D80D3801BAFF2198FAE97D9E53B37A1E90FB5C87B8C5DEB981ADB445B
                                  SHA-512:671415C08C88D2EFF35F7F64AAEC48782DC53E01EC0B4D26F55062CDA3D9E2FF2A606605655BD43D7A159CC7ADC0EA48E1FF5452B421D294E1F032BA9072B679
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):14437
                                  Entropy (8bit):4.960379440179098
                                  Encrypted:false
                                  SSDEEP:384:iVib49PVoGIpN6KQkj2kkjh4iUxMhQzhIqYo8YKib4o:iFPV3IpNBQkj2Nh4iUxMhihIqYo8YR
                                  MD5:F2E1B889FAD5371C1763FB12D73B4EAE
                                  SHA1:AE45955F14208A1232CD0BB6EDEB1D5CC7C3CCA1
                                  SHA-256:F2EF4393FE68ED5FD087C4E656340A94B58D90B464F9427C2A01C7C880B8E95B
                                  SHA-512:0B5B26684345297B8540A7BA4D15BBDDF76B9319ABCD97835167C95EEF66B9119B7C2B63A210FB633F4A1CD0C5D23A4BDC6750C59CF0B5E53EF7B443F4E29D70
                                  Malicious:false
                                  Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                  C:\Windows\System32\drivers\etc\hosts

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1117
                                  Entropy (8bit):4.596294141775527
                                  Encrypted:false
                                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTthGCRfRBKJy:vDZhyoZWM9rU5fFc2RfRH
                                  MD5:D6F07B2DF0BD08AECA44B6AA714A3F6B
                                  SHA1:FEC1A6EE587A5166BD760CF66C36B691EEEDF8F9
                                  SHA-256:D77E1765CC5BE66A783E1C82FAAA325134911DA899903D74D14588D345497C7D
                                  SHA-512:23E92EBF5DEFFC8E42F7D4CE5BD43F793F77DE433EB1BA8A6EE0F03C004CB1E39A334F8441F44AEEF313DA3051C803348A363F2F7F853A716F56877DC7741CBB
                                  Malicious:true
                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 kaspersky.com..0.0.0.0 drweb.com..0.0.0.0 360totalsecurity.com..0.0.0.0 emsisoftware.com..0.0.0.0 bitdefender.com..0.0.0.0 bitdefe

                                  C:\Windows\Temp\__PSScriptPolicyTest_qsduz5tt.rpa.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Windows\Temp\__PSScriptPolicyTest_tpam3yly.vhm.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Windows\Temp\__PSScriptPolicyTest_ukgeeymy.yxt.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Windows\Temp\__PSScriptPolicyTest_w4xmmtld.5a3.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  Static File Info

                                  General

                                  File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                  Entropy (8bit):7.903553313262754
                                  TrID:
                                  • Win64 Executable (generic) (12005/4) 74.95%
                                  • Generic Win/DOS Executable (2004/3) 12.51%
                                  • DOS Executable Generic (2002/1) 12.50%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                  File name:SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  File size:18'746'368 bytes
                                  MD5:6b7465de74c38692e7072c1f48c13782
                                  SHA1:5d918f8945b66044b3833fbfd7c6e540421866a4
                                  SHA256:0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
                                  SHA512:a71531311153a0ae785ce2130bbf3f4b07cedf884da7d3f9b8377749da37e3a57ccdcd41e72350986e981c19db4e153f0ea494874ca8f3f68ae4fc36bde85672
                                  SSDEEP:393216:1zkQk7KRrH/mW+0hvqXplKlu+ny9VQkpukHb+:15k+9mlXplKUekph
                                  TLSH:F51723D089C557F4C3EA870C928B174FB7D16662D69BAE0D25D0DC032BC1E1B660BF6A
                                  File Content Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.........8.............@.............................@5...........`... ............................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x141cfe5f4
                                  Entrypoint Section:.j+f
                                  Digitally signed:false
                                  Imagebase:0x140000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                  TLS Callbacks:0x41ebb983, 0x1, 0x4000500c, 0x1, 0x40004ff0, 0x1
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:2
                                  File Version Major:5
                                  File Version Minor:2
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:2
                                  Import Hash:6776d1a14285e6e41d63673627273c93

                                  Entrypoint Preview

                                  Instruction
                                  pushfd
                                  push edx
                                  push edi
                                  dec eax
                                  mov dword ptr [esp+10h], A966FA26h
                                  dec eax
                                  lea esp, dword ptr [esp+10h]
                                  call 00007F606CF2949Fh
                                  and eax, 8F2050A4h
                                  sbb byte ptr [edi+74A3ECA0h], ah
                                  js 00007F606CC06AC9h
                                  mov al, byte ptr [30E470ECh]
                                  cmpsd
                                  mov al, byte ptr [E0F830ECh]
                                  cmpsd
                                  mov al, byte ptr [48FC5FECh]
                                  cmpsd
                                  mov al, byte ptr [40FB97ECh]
                                  cmpsd
                                  mov al, byte ptr [E0242CECh]
                                  cmpsd
                                  mov al, byte ptr [68DF94ECh]
                                  cmpsd
                                  mov al, byte ptr [5983A3ECh]
                                  pop ecx
                                  push ebp
                                  cmp edx, ebx
                                  mov dword ptr [D243881Bh], eax
                                  mov esp, 283CF644h
                                  xor eax, 004F4D1Dh
                                  push ss
                                  movsb
                                  mov dword ptr [esi], ebx
                                  xchg eax, edx
                                  call far 28B1h : F94636DCh
                                  dec eax
                                  dec edx
                                  lahf
                                  insb
                                  bound esp, dword ptr [eax-7696F7F2h]
                                  cmp al, EDh
                                  movsb
                                  or dword ptr [edi+1F3817C4h], eax
                                  inc edi
                                  sbb al, 36h

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1e923180x64.j+f
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x23530000x388.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x234e5d00x30f0.j+f
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x23520000xfc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x1f0a8980x28.j+f
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x11710000x68.]24
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x84a80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .data0xa0000x99eb800x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rdata0x9a90000x3c400x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .pdata0x9ad0000x78c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .xdata0x9ae0000x5880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .bss0x9af0000x38000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata0x9b30000x63c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .CRT0x9b40000x600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x9b50000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .r/P0x9b60000x3880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .-zo0x9b70000x7b9ba00x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .]240x11710000x8480xa0015019b11cd0df34acede6ea00763a206False0.02734375data0.16587117256355974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .j+f0x11720000x11df6c00x11df80026cfc192ff592085d736f1906ac21838unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .reloc0x23520000xfc0x20011ad576c9298249a758cb4ac0b2f9e11False0.359375data2.332931438091159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x23530000x3880x400ee4e7e739dcbabc9b9af92eafa573c7aFalse0.44921875data5.022527383627671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x23530580x330XML 1.0 document, ASCII textEnglishUnited States0.508578431372549

                                  Imports

                                  DLLImport
                                  KERNEL32.dllDeleteCriticalSection
                                  msvcrt.dll__C_specific_handler
                                  KERNEL32.dllGetSystemTimeAsFileTime
                                  KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:23:30:04
                                  Start date:23/01/2024
                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe
                                  Imagebase:0x7ff700f90000
                                  File size:18'746'368 bytes
                                  MD5 hash:6B7465DE74C38692E7072C1F48C13782
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:23:30:10
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:23:30:10
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:23:30:12
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Imagebase:0x7ff6ef0c0000
                                  File size:496'640 bytes
                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                                  Imagebase:0x7ff7176a0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc stop UsoSvc
                                  Imagebase:0x7ff7abfc0000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc stop WaaSMedicSvc
                                  Imagebase:0x7ff7abfc0000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc stop wuauserv
                                  Imagebase:0x7ff7abfc0000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc stop bits
                                  Imagebase:0x7ff7abfc0000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\sc.exe
                                  Wow64 process (32bit):false
                                  Commandline:sc stop dosvc
                                  Imagebase:0x7ff7abfc0000
                                  File size:72'192 bytes
                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                  Imagebase:0x7ff7176a0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\dialer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\dialer.exe
                                  Imagebase:0x7ff73dea0000
                                  File size:39'936 bytes
                                  MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:15
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\powercfg.exe
                                  Wow64 process (32bit):false
                                  Commandline:powercfg /x -hibernate-timeout-ac 0
                                  Imagebase:0x7ff746ea0000
                                  File size:96'256 bytes
                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:23:30:13
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\powercfg.exe
                                  Wow64 process (32bit):false
                                  Commandline:powercfg /x -hibernate-timeout-dc 0
                                  Imagebase:0x7ff746ea0000
                                  File size:96'256 bytes
                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\winlogon.exe
                                  Wow64 process (32bit):false
                                  Commandline:winlogon.exe
                                  Imagebase:0x7ff6156c0000
                                  File size:906'240 bytes
                                  MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:21
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\powercfg.exe
                                  Wow64 process (32bit):false
                                  Commandline:powercfg /x -standby-timeout-ac 0
                                  Imagebase:0x7ff746ea0000
                                  File size:96'256 bytes
                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:23
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\powercfg.exe
                                  Wow64 process (32bit):false
                                  Commandline:powercfg /x -standby-timeout-dc 0
                                  Imagebase:0x7ff746ea0000
                                  File size:96'256 bytes
                                  MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:24
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\lsass.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\lsass.exe
                                  Imagebase:0x7ff654c90000
                                  File size:59'456 bytes
                                  MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:26
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:27
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Program Files\WindowsServices\WindowsAutHost
                                  Wow64 process (32bit):false
                                  Commandline:C:\Program Files\WindowsServices\WindowsAutHost
                                  Imagebase:0x7ff605950000
                                  File size:18'746'368 bytes
                                  MD5 hash:6B7465DE74C38692E7072C1F48C13782
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 18%, ReversingLabs
                                  Has exited:false

                                  General

                                  Target ID:28
                                  Start time:23:30:14
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:29
                                  Start time:23:30:15
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\dwm.exe
                                  Wow64 process (32bit):false
                                  Commandline:dwm.exe
                                  Imagebase:0x7ff79d4a0000
                                  File size:94'720 bytes
                                  MD5 hash:5C27608411832C5B39BA04E33D53536C
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:30
                                  Start time:23:30:17
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:31
                                  Start time:23:30:17
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:32
                                  Start time:23:30:17
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:33
                                  Start time:23:30:18
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:34
                                  Start time:23:30:18
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:35
                                  Start time:23:30:20
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:37
                                  Start time:23:30:21
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:38
                                  Start time:23:30:21
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Has exited:false

                                  General

                                  Target ID:39
                                  Start time:23:30:21
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:40
                                  Start time:23:30:22
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:41
                                  Start time:23:30:22
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:42
                                  Start time:23:30:22
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:43
                                  Start time:23:30:23
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:
                                  Has administrator privileges:
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:45
                                  Start time:23:30:51
                                  Start date:23/01/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):
                                  Commandline:C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                                  Imagebase:
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:
                                  Has administrator privileges:
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  Disassembly

                                  No disassembly