Windows Analysis Report
SpeedHack666Cheat (no VM detected).exe

Overview

General Information

Sample name: SpeedHack666Cheat (no VM detected).exe
Analysis ID: 1533472
MD5: 65c0f9249f64c65cda3e5ea32126fc1f
SHA1: d567a001160109f58a4ec43db2abd9971e01afa7
SHA256: 7522fa6d0f83eac9662ae47af048f02ddfaab925738cec1280b0c5c7788d2d0a
Tags: exeuser-MDMCk10
Infos:

Detection

Njrat, RevengeRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected Njrat
Yara detected RevengeRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Disables Windows Defender (via service or powershell)
Disables zone checking for all users
Drops PE files to the startup folder
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Protects its processes via BreakOnTermination flag
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dllhost Internet Connection
Sigma detected: Startup Folder File Write
Sigma detected: Unusual Parent Process For Cmd.EXE
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SpeedHack666Cheat (no VM detected).exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\dllhost.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ClickMe.exe Avira: detection malicious, Label: TR/Dropper.Gen
Yara detected Njrat
Source: Yara match File source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 4940, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe Joe Sandbox ML: detected
Source: C:\ProgramData\dllhost.exe Joe Sandbox ML: detected
Source: C:\ClickMe.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SpeedHack666Cheat (no VM detected).exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SpeedHack666Cheat (no VM detected).exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49710 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49710 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49717 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49717 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49714 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49714 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49720 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49720 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49719 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49719 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49716 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49716 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49715 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49715 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49718 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49718 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.8:49721 -> 147.185.221.23:6666
Source: Network traffic Suricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.8:49721 -> 147.185.221.23:6666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49710 -> 147.185.221.23:6666
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.185.221.23 147.185.221.23
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: order-resident.gl.at.ply.gg
Source: svchost.exe, 0000001C.00000002.3397450783.000001AAA9C00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.28.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.28.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.28.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.28.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.28.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.28.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.28.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: edb.log.28.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000001C.00000003.1710431158.000001AAA9A00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000026.00000002.2076276822.0000000002552000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000026.00000002.2076276822.000000000254F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000027.00000002.2185454516.000000000265F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000027.00000002.2185454516.0000000002662000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000029.00000002.2777347353.0000000002702000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000029.00000002.2777347353.00000000026FF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000002A.00000002.3335794048.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000002A.00000002.3335794048.00000000027C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/???

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 4940, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\ProgramData\dllhost.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: SpeedHack666Cheat (no VM detected).exe, type: SAMPLE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.37d4268.1.unpack, type: UNPACKEDPE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.386da98.0.unpack, type: UNPACKEDPE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.37d4268.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.0.SpeedHack666Cheat (no VM detected).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\dllhost.exe, type: DROPPED Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe, type: DROPPED Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: C:\ClickMe.exe, type: DROPPED Matched rule: Detects RevengeRAT malware Author: Florian Roth
Abnormal high CPU Usage
Source: C:\ProgramData\dllhost.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Code function: 0_2_0097B266 NtQuerySystemInformation, 0_2_0097B266
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Code function: 0_2_0097B235 NtQuerySystemInformation, 0_2_0097B235
Source: C:\ProgramData\dllhost.exe Code function: 2_2_0083B4E2 NtQuerySystemInformation, 2_2_0083B4E2
Source: C:\ProgramData\dllhost.exe Code function: 2_2_0083B4B1 NtQuerySystemInformation, 2_2_0083B4B1
Source: C:\ProgramData\dllhost.exe Code function: 2_2_068606CE NtSetInformationProcess, 2_2_068606CE
Source: C:\ProgramData\dllhost.exe Code function: 2_2_068606AC NtSetInformationProcess, 2_2_068606AC
Source: C:\ProgramData\dllhost.exe Code function: 26_2_0063B4E2 NtQuerySystemInformation, 26_2_0063B4E2
Source: C:\ProgramData\dllhost.exe Code function: 26_2_0063B4B1 NtQuerySystemInformation, 26_2_0063B4B1
Source: C:\ProgramData\dllhost.exe Code function: 37_2_0073B4E2 NtQuerySystemInformation, 37_2_0073B4E2
Source: C:\ProgramData\dllhost.exe Code function: 37_2_0073B4B1 NtQuerySystemInformation, 37_2_0073B4B1
Source: C:\ProgramData\dllhost.exe Code function: 38_2_0083B4E2 NtQuerySystemInformation, 38_2_0083B4E2
Source: C:\ProgramData\dllhost.exe Code function: 38_2_0083B4B1 NtQuerySystemInformation, 38_2_0083B4B1
Source: C:\ProgramData\dllhost.exe Code function: 39_2_0082B4E2 NtQuerySystemInformation, 39_2_0082B4E2
Source: C:\ProgramData\dllhost.exe Code function: 39_2_0082B4B1 NtQuerySystemInformation, 39_2_0082B4B1
Source: C:\ProgramData\dllhost.exe Code function: 41_2_0086B4E2 NtQuerySystemInformation, 41_2_0086B4E2
Source: C:\ProgramData\dllhost.exe Code function: 41_2_0086B4B1 NtQuerySystemInformation, 41_2_0086B4B1
Source: C:\ProgramData\dllhost.exe Code function: 42_2_0082B4E2 NtQuerySystemInformation, 42_2_0082B4E2
Source: C:\ProgramData\dllhost.exe Code function: 42_2_0082B4B1 NtQuerySystemInformation, 42_2_0082B4B1
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\ProgramData\dllhost.exe Code function: 2_2_04BC3C90 2_2_04BC3C90
Sample file is different than original file name gathered from version info
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1486555401.00000000005CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs SpeedHack666Cheat (no VM detected).exe
Uses 32bit PE files
Source: SpeedHack666Cheat (no VM detected).exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Yara signature match
Source: SpeedHack666Cheat (no VM detected).exe, type: SAMPLE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.37d4268.1.unpack, type: UNPACKEDPE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.386da98.0.unpack, type: UNPACKEDPE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.37d4268.1.raw.unpack, type: UNPACKEDPE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.SpeedHack666Cheat (no VM detected).exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\ProgramData\dllhost.exe, type: DROPPED Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe, type: DROPPED Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ClickMe.exe, type: DROPPED Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: SpeedHack666Cheat (no VM detected).exe, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs Cryptographic APIs: 'CreateDecryptor'
Source: SpeedHack666Cheat (no VM detected).exe, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: SpeedHack666Cheat (no VM detected).exe, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: SpeedHack666Cheat (no VM detected).exe, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: SpeedHack666Cheat (no VM detected).exe, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: ClickMe.exe.0.dr, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs Cryptographic APIs: 'CreateDecryptor'
Source: ClickMe.exe.0.dr, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: ClickMe.exe.0.dr, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: ClickMe.exe.0.dr, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: ClickMe.exe.0.dr, FOBGOMGCLCDKKFGLBHOEPDKOBBHNJGLJBHOM.cs Cryptographic APIs: 'CreateDecryptor'
Source: dllhost.exe.0.dr, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.phis.troj.adwa.evad.winEXE@52/16@1/2
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Code function: 0_2_0097B0EA AdjustTokenPrivileges, 0_2_0097B0EA
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Code function: 0_2_0097B0B3 AdjustTokenPrivileges, 0_2_0097B0B3
Source: C:\ProgramData\dllhost.exe Code function: 2_2_0083B366 AdjustTokenPrivileges, 2_2_0083B366
Source: C:\ProgramData\dllhost.exe Code function: 2_2_0083B32F AdjustTokenPrivileges, 2_2_0083B32F
Source: C:\ProgramData\dllhost.exe Code function: 26_2_0063B366 AdjustTokenPrivileges, 26_2_0063B366
Source: C:\ProgramData\dllhost.exe Code function: 26_2_0063B32F AdjustTokenPrivileges, 26_2_0063B32F
Source: C:\ProgramData\dllhost.exe Code function: 37_2_0073B366 AdjustTokenPrivileges, 37_2_0073B366
Source: C:\ProgramData\dllhost.exe Code function: 37_2_0073B32F AdjustTokenPrivileges, 37_2_0073B32F
Source: C:\ProgramData\dllhost.exe Code function: 38_2_0083B366 AdjustTokenPrivileges, 38_2_0083B366
Source: C:\ProgramData\dllhost.exe Code function: 38_2_0083B32F AdjustTokenPrivileges, 38_2_0083B32F
Source: C:\ProgramData\dllhost.exe Code function: 39_2_0082B366 AdjustTokenPrivileges, 39_2_0082B366
Source: C:\ProgramData\dllhost.exe Code function: 39_2_0082B32F AdjustTokenPrivileges, 39_2_0082B32F
Source: C:\ProgramData\dllhost.exe Code function: 41_2_0086B366 AdjustTokenPrivileges, 41_2_0086B366
Source: C:\ProgramData\dllhost.exe Code function: 41_2_0086B32F AdjustTokenPrivileges, 41_2_0086B32F
Source: C:\ProgramData\dllhost.exe Code function: 42_2_0082B366 AdjustTokenPrivileges, 42_2_0082B366
Source: C:\ProgramData\dllhost.exe Code function: 42_2_0082B32F AdjustTokenPrivileges, 42_2_0082B32F
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SpeedHack666Cheat (no VM detected).exe.log Jump to behavior
Source: C:\ProgramData\dllhost.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\ProgramData\dllhost.exe Mutant created: \Sessions\1\BaseNamedObjects\87078a174f1e0ed9d58afdf2d6d178c3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\ProgramData\dllhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3324:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03
Source: C:\ProgramData\dllhost.exe File created: C:\Users\user\AppData\Local\Temp\obito.txt Jump to behavior
Source: SpeedHack666Cheat (no VM detected).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SpeedHack666Cheat (no VM detected).exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Wireshark.exe")
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Wireshark.exe")
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File read: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe "C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe"
Source: unknown Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process created: C:\ProgramData\dllhost.exe "C:\ProgramData\dllhost.exe"
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\attrib.exe attrib +h "C:\ProgramData\dllhost.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc query windefend
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc query windefend
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc stop windefend
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc stop windefend
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc delete windefend
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc delete windefend
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn CleanSweepCheck /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\ProgramData\dllhost.exe
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: unknown Process created: C:\ProgramData\dllhost.exe C:\ProgramData\dllhost.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im Wireshark.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Wireshark.exe
Source: unknown Process created: C:\ProgramData\dllhost.exe "C:\ProgramData\dllhost.exe" ..
Source: unknown Process created: C:\ProgramData\dllhost.exe "C:\ProgramData\dllhost.exe" ..
Source: unknown Process created: C:\ProgramData\dllhost.exe "C:\ProgramData\dllhost.exe" ..
Source: unknown Process created: C:\ProgramData\dllhost.exe C:\ProgramData\dllhost.exe
Source: unknown Process created: C:\ProgramData\dllhost.exe C:\ProgramData\dllhost.exe
Source: unknown Process created: C:\ProgramData\dllhost.exe C:\ProgramData\dllhost.exe
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process created: C:\ProgramData\dllhost.exe "C:\ProgramData\dllhost.exe" Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\attrib.exe attrib +h "C:\ProgramData\dllhost.exe" Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc query windefend Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc stop windefend Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc delete windefend Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn CleanSweepCheck /f Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\ProgramData\dllhost.exe Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc query windefend Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc stop windefend Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc delete windefend
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Wireshark.exe
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\dllhost.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Section loaded: shfolder.dll
Source: C:\ProgramData\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\dllhost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SpeedHack666Cheat (no VM detected).exe, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs .Net Code: AENHFKOMDOELCJJKFJCDPBLMPIFDPLMEIOHL System.Reflection.Assembly.Load(byte[])
Source: ClickMe.exe.0.dr, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs .Net Code: AENHFKOMDOELCJJKFJCDPBLMPIFDPLMEIOHL System.Reflection.Assembly.Load(byte[])
Source: dllhost.exe.0.dr, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs .Net Code: AENHFKOMDOELCJJKFJCDPBLMPIFDPLMEIOHL System.Reflection.Assembly.Load(byte[])
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.37d4268.1.raw.unpack, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs .Net Code: AENHFKOMDOELCJJKFJCDPBLMPIFDPLMEIOHL System.Reflection.Assembly.Load(byte[])
Source: 0.2.SpeedHack666Cheat (no VM detected).exe.386da98.0.raw.unpack, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs .Net Code: AENHFKOMDOELCJJKFJCDPBLMPIFDPLMEIOHL System.Reflection.Assembly.Load(byte[])
Source: 87078a174f1e0ed9d58afdf2d6d178c3.exe.2.dr, JPIGAIGLMLGAPAPCOMNMCOFGCCHOODAODJNE.cs .Net Code: AENHFKOMDOELCJJKFJCDPBLMPIFDPLMEIOHL System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Code function: 0_2_00B55CC8 push cs; iretd 0_2_00B55CD4
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Code function: 0_2_00B553B7 push ebx; iretd 0_2_00B553BD
Source: C:\ProgramData\dllhost.exe Code function: 2_2_00848A50 push esp; iretd 2_2_00848F09
Source: C:\ProgramData\dllhost.exe Code function: 2_2_04855CC8 push cs; iretd 2_2_04855CD4
Source: C:\ProgramData\dllhost.exe Code function: 2_2_048553B7 push ebx; iretd 2_2_048553BD
Source: C:\ProgramData\dllhost.exe Code function: 26_2_04845CC8 push cs; iretd 26_2_04845CD4
Source: C:\ProgramData\dllhost.exe Code function: 26_2_048453B7 push ebx; iretd 26_2_048453BD
Source: C:\ProgramData\dllhost.exe Code function: 37_2_04845CC8 push cs; iretd 37_2_04845CD4
Source: C:\ProgramData\dllhost.exe Code function: 37_2_048453B7 push ebx; iretd 37_2_048453BD
Source: C:\ProgramData\dllhost.exe Code function: 38_2_04855CC8 push cs; iretd 38_2_04855CD4
Source: C:\ProgramData\dllhost.exe Code function: 38_2_048553B7 push ebx; iretd 38_2_048553BD
Source: C:\ProgramData\dllhost.exe Code function: 39_2_009A5CC8 push cs; iretd 39_2_009A5CD4
Source: C:\ProgramData\dllhost.exe Code function: 39_2_009A53B7 push ebx; iretd 39_2_009A53BD
Source: C:\ProgramData\dllhost.exe Code function: 41_2_04845CC8 push cs; iretd 41_2_04845CD4
Source: C:\ProgramData\dllhost.exe Code function: 41_2_048453B7 push ebx; iretd 41_2_048453BD
Source: C:\ProgramData\dllhost.exe Code function: 42_2_00995CC8 push cs; iretd 42_2_00995CD4
Source: C:\ProgramData\dllhost.exe Code function: 42_2_009953B7 push ebx; iretd 42_2_009953BD
Drops PE files
Source: C:\ProgramData\dllhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe Jump to dropped file
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File created: C:\ClickMe.exe Jump to dropped file
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File created: C:\ProgramData\dllhost.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe File created: C:\ProgramData\dllhost.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\ProgramData\dllhost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 87078a174f1e0ed9d58afdf2d6d178c3 Jump to behavior
Drops PE files to the startup folder
Source: C:\ProgramData\dllhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn CleanSweepCheck /f
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\ProgramData\dllhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\ProgramData\dllhost.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe Jump to behavior
Source: C:\ProgramData\dllhost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 87078a174f1e0ed9d58afdf2d6d178c3 Jump to behavior
Source: C:\ProgramData\dllhost.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 87078a174f1e0ed9d58afdf2d6d178c3 Jump to behavior
Source: C:\ProgramData\dllhost.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 87078a174f1e0ed9d58afdf2d6d178c3 Jump to behavior
Source: C:\ProgramData\dllhost.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 87078a174f1e0ed9d58afdf2d6d178c3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc query windefend

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\dllhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: cmd.exe, 0000001F.00000002.1763527076.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: H TASKKILL /F /IM WIRESHARK.EXE
Source: cmd.exe, 0000001F.00000002.1763527076.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CMD /C TASKKILL /F /IM WIRESHARK.EXE
Source: cmd.exe, 0000001F.00000002.1763527076.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSWOW64\CMD.EXECMD /C TASKKILL /F /IM WIRESHARK.EXEC:\PROGRAMDATA\DLLHOST.EXEWINSTA0\DEFAULT=::=::\ALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMW6432=C:\PROGRAM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAFPS_BROWSER_APP_PROFILE_STRING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=X86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILES (X86)PROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\USERS\user\APPDATA\LOCAL\TEMPUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\USERS\userWINDIR=C:\WINDOWS+I
Source: cmd.exe, 0000001F.00000002.1763053184.0000000000790000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSWOW64\TASKKILL.EXEXETASKKILL /F /IM WIRESHARK.EXE.TASKKILL /F /IM WIRESHARK.EXESWINSTA0\DEFAULT::==::=::\ALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES\COMMON FILES\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SIDEBYSIDEIERSM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAFPS_BROWSER_APP_PROFILE_STRING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PRO\REGI\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SIDEBYSIDEW6432=C:\PROB
Source: dllhost.exe, 00000002.00000002.3861286250.00000000004A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASKKILL /F /IM WIRESHARK.EXET\WC:\PROGRAMDATA\DLLHOST.EXEIWINSTA0\DEFAULTLEL=::=::\ALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES\C
Source: cmd.exe, 0000001F.00000002.1763527076.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /F /IM WIRESHARK.EXE(I
Source: cmd.exe, 0000001F.00000002.1763053184.0000000000790000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSWOW64\CMD.EXECMD /C TASKKILL /F /IM WIRESHARK.EXEC:\PROGRAMDATA\DLLHOST.EXEWINSTA0\DEFAULT
Source: cmd.exe, 0000001F.00000002.1765475915.0000000002C80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CMD/CTASKKILL/F/IMWIRESHARK.EXEROGRAM
Source: cmd.exe, 0000001F.00000002.1763527076.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TASKKILL /F /IM WIRESHARK.EXE2I
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000002.00000002.3865755977.0000000002662000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000001A.00000002.2012435812.0000000002752000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000001A.00000002.2012435812.000000000274F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001F.00000002.1765475915.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000026.00000002.2076276822.0000000002552000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000026.00000002.2076276822.000000000254F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000027.00000002.2185454516.000000000265F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000027.00000002.2185454516.0000000002662000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Source: cmd.exe, 0000001F.00000002.1763527076.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CMD /C TASKKILL /F /IM WIRESHARK.EXECI
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Memory allocated: A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Memory allocated: 27D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Memory allocated: A40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 8E0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 970000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 80D0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 90D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 92B0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: A2B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: A670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: B670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: C670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 90D0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: A670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: B670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: C670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: B670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 90D0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: A670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: B670000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: C370000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: D370000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: C730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: D730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: E730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: F730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 10730000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 10EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 11EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 12EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 13EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 14EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 15EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 16EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 17EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 18EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 19EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 1AEB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 1BEB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 1CEB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 1DEB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: D730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: E730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 10730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 13EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 14EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 15EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 16EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\dllhost.exe Memory allocated: 910000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 2740000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: A60000 memory commit | memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 9E0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 2510000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 4510000 memory commit | memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 9E0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 2540000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 4540000 memory commit | memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 8D0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 2650000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 4650000 memory commit | memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 8E0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 26F0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: A40000 memory commit | memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 8C0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 27B0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: C90000 memory commit | memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 9C0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 26F0000 memory reserve | memory write watch
Source: C:\ProgramData\dllhost.exe Memory allocated: 46F0000 memory commit | memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\dllhost.exe Window / User API: threadDelayed 2146 Jump to behavior
Source: C:\ProgramData\dllhost.exe Window / User API: threadDelayed 427 Jump to behavior
Source: C:\ProgramData\dllhost.exe Window / User API: threadDelayed 1043 Jump to behavior
Source: C:\ProgramData\dllhost.exe Window / User API: foregroundWindowGot 883 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2922 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe TID: 3772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe TID: 3772 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe TID: 3572 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\dllhost.exe TID: 6320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\dllhost.exe TID: 5896 Thread sleep time: -1073000s >= -30000s Jump to behavior
Source: C:\ProgramData\dllhost.exe TID: 5896 Thread sleep time: -521500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2352 Thread sleep count: 2922 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2340 Thread sleep count: 179 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\dllhost.exe TID: 2352 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 2916 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1984 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4708 Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 3848 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 3160 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 3324 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 5164 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 5628 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 6080 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 5392 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 4784 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 6752 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 2548 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 5632 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 5788 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\dllhost.exe TID: 5544 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\dllhost.exe Thread delayed: delay time: 922337203685477
Source: dllhost.exe, 00000002.00000002.3889638801.000000000C731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxServicex
Source: dllhost.exe, 0000002A.00000002.3335794048.0000000002A79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxServicedS|l
Source: dllhost.exe, 00000029.00000002.2777347353.000000000290B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxServicedS|lh
Source: dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxServicedS|l(tn
Source: svchost.exe, 0000001C.00000002.3398339348.000001AAA9C59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: dllhost.exe, 00000027.00000002.2185454516.0000000002662000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxServicedS|lt
Source: dllhost.exe, 0000002A.00000002.3335794048.00000000027BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxService
Source: svchost.exe, 0000001C.00000002.3394016537.000001AAA462B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: dllhost.exe, 00000002.00000002.3861577606.000000000059B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Disables Windows Defender (via service or powershell)
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc stop windefend
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc stop windefend Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Modifies Windows Defender protection settings
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\ProgramData\dllhost.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SpeedHack666Cheat (no VM detected).exe Process created: C:\ProgramData\dllhost.exe "C:\ProgramData\dllhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc query windefend Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc stop windefend Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc delete windefend
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Wireshark.exe
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Wireshark.exe
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000001A.00000002.2012435812.000000000274F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000001A.00000002.2012435812.000000000274F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman*set CDAudio door open.set CDAudio door closed
Queries the volume information (name, serial number etc) of a device
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\ProgramData\dllhost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables UAC (registry)
Source: C:\Windows\SysWOW64\reg.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
Disables zone checking for all users
Source: C:\ProgramData\dllhost.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SpeedHack666Cheat (no VM detected).exe, 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000002.00000002.3865755977.0000000002662000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000001A.00000002.2012435812.0000000002752000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 0000001A.00000002.2012435812.000000000274F000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001F.00000002.1765475915.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000026.00000002.2076276822.0000000002552000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000026.00000002.2076276822.000000000254F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000027.00000002.2185454516.000000000265F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000027.00000002.2185454516.0000000002662000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Wireshark.exe
Source: dllhost.exe, 00000002.00000002.3880743925.00000000074F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: dllhost.exe, 00000002.00000002.3880743925.00000000074F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows Defender\MsMpeng.exe
Source: dllhost.exe, 00000002.00000002.3880743925.00000000075A6000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000002.00000002.3880743925.00000000074F0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000002.00000002.3888859227.000000000C1A1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000002.00000002.3861577606.000000000059B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\ProgramData\dllhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 4940, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 00000025.00000002.1982630198.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1507638179.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 4940, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: SpeedHack666Cheat (no VM detected).exe PID: 6780, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533472 Sample: SpeedHack666Cheat (no VM de... Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 66 order-resident.gl.at.ply.gg 2->66 72 Suricata IDS alerts for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for dropped file 2->76 78 12 other signatures 2->78 10 SpeedHack666Cheat (no VM detected).exe 1 9 2->10         started        14 svchost.exe 2->14         started        17 dllhost.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 58 C:\ProgramData\dllhost.exe, PE32 10->58 dropped 60 C:\ClickMe.exe, PE32 10->60 dropped 62 SpeedHack666Cheat ...M detected).exe.log, ASCII 10->62 dropped 64 C:\ClickMe.exe:Zone.Identifier, ASCII 10->64 dropped 98 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->98 21 dllhost.exe 4 8 10->21         started        70 127.0.0.1 unknown unknown 14->70 file6 signatures7 process8 dnsIp9 68 order-resident.gl.at.ply.gg 147.185.221.23, 49710, 49714, 49715 SALSGIVERUS United States 21->68 56 C:\...\87078a174f1e0ed9d58afdf2d6d178c3.exe, PE32 21->56 dropped 84 Antivirus detection for dropped file 21->84 86 Protects its processes via BreakOnTermination flag 21->86 88 Machine Learning detection for dropped file 21->88 90 7 other signatures 21->90 26 cmd.exe 1 21->26         started        29 cmd.exe 21->29         started        31 cmd.exe 21->31         started        33 6 other processes 21->33 file10 signatures11 process12 signatures13 92 Modifies Windows Defender protection settings 26->92 94 Disables Windows Defender (via service or powershell) 26->94 35 powershell.exe 23 26->35         started        38 conhost.exe 26->38         started        40 reg.exe 29->40         started        42 conhost.exe 29->42         started        96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->96 50 2 other processes 31->50 44 conhost.exe 33->44         started        46 conhost.exe 33->46         started        48 conhost.exe 33->48         started        52 6 other processes 33->52 process14 signatures15 80 Loading BitLocker PowerShell Module 35->80 54 WmiPrvSE.exe 35->54         started        82 Disables UAC (registry) 40->82 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.185.221.23
 order-resident.gl.at.ply.gg United States
12087 SALSGIVERUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
order-resident.gl.at.ply.gg 147.185.221.23 true