| Source: C:\Users\user\AppData\Roaming\qwevqjeiqvj.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\System Volume Information\Chkdsk\SearchUI.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\Windows\SysWOW64\comrepl\fontdrvhost.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\Windows\SysWOW64\comrepl\fontdrvhost.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\Recovery\csrss.exe | Avira: detection malicious, Label: TR/Blocker.aastp |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | ReversingLabs: Detection: 57% |
| Source: C:\Recovery\csrss.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\Recovery\csrss.exe | ReversingLabs: Detection: 57% |
| Source: C:\System Volume Information\Chkdsk\SearchUI.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\System Volume Information\Chkdsk\SearchUI.exe | ReversingLabs: Detection: 57% |
| Source: C:\Users\user\AppData\Roaming\qwevqjeiqvj.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\Users\user\AppData\Roaming\qwevqjeiqvj.exe | ReversingLabs: Detection: 57% |
| Source: C:\Windows\SysWOW64\comrepl\fontdrvhost.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\Windows\SysWOW64\comrepl\fontdrvhost.exe | ReversingLabs: Detection: 57% |
| Source: C:\Windows\SysWOW64\iasnap\fontdrvhost.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\Windows\SysWOW64\iasnap\fontdrvhost.exe | ReversingLabs: Detection: 57% |
| Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | Metadefender: Detection: 29% | Perma Link |
| Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | ReversingLabs: Detection: 57% |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49721 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49727 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49725 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49729 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49721 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49723 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49729 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49716 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49716 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49727 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49725 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49723 |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.554257510.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000011.00000002.671633909.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, JRFdtWyAvbQxLlvO.exe, 00000013.00000002.672488180.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, JRFdtWyAvbQxLlvO.exe, 00000013.00000002.672938172.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, JRFdtWyAvbQxLlvO.exe, 00000013.00000002.673039261.0000000002C52000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cdn.discordapp.com |
| Source: csrss.exe, csrss.exe, 00000011.00000002.659651499.0000000000352000.00000002.00000001.01000000.00000009.sdmp, csrss.exe, 00000011.00000002.671633909.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, JRFdtWyAvbQxLlvO.exe, JRFdtWyAvbQxLlvO.exe, 00000013.00000000.575873581.00000000006E2000.00000002.00000001.01000000.0000000A.sdmp, JRFdtWyAvbQxLlvO.exe, 00000013.00000002.672085337.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, SearchUI.exe, SearchUI.exe, 00000015.00000000.576664320.0000000000C32000.00000002.00000001.01000000.0000000B.sdmp, csrss.exe, 0000001C.00000000.590216084.0000000000842000.00000002.00000001.01000000.00000009.sdmp | String found in binary or memory: http://cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553830530.0000000001199000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.690420985.0000000007F30000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
| Source: powershell.exe, 00000016.00000002.672141586.000000000499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.672127271.000000000556E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.673640958.00000000050EC000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.554257510.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000011.00000002.671633909.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, JRFdtWyAvbQxLlvO.exe, 00000013.00000002.672488180.0000000002BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.664966995.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.671410119.0000000005431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.671010760.0000000004FB1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| Source: powershell.exe, 00000016.00000002.672141586.000000000499E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.672127271.000000000556E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.673640958.00000000050EC000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
| Source: JRFdtWyAvbQxLlvO.exe, 00000013.00000002.672938172.0000000002C39000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://cdn.discordapp.com |
| Source: JRFdtWyAvbQxLlvO.exe, 00000013.00000002.672938172.0000000002C39000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.554326400.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, csrss.exe, 00000011.00000002.672081969.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://cdn.discordapp.com4Gk |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-net |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-neti |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.554390785.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.554469458.0000000002D29000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000008.00000000.550714016.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://steamcommunity.com/profiles/ |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /attachments/932607293869146142/941782821578633216/Sjxupcet.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.12.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.10.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 2.2.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.3ea78e0.9.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 2.2.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.3ea78e0.9.raw.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 2.2.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.3d82590.7.raw.unpack, type: UNPACKEDPE | Matched rule: DCRat payload Author: ditekSHen |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.12.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.10.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 2.2.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.3ea78e0.9.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 2.2.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.3ea78e0.9.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: 2.2.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.3d82590.7.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_01020040 | 2_2_01020040 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106F300 | 2_2_0106F300 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_010642E0 | 2_2_010642E0 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_01063581 | 2_2_01063581 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106D440 | 2_2_0106D440 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_01064790 | 2_2_01064790 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106A7F0 | 2_2_0106A7F0 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106DC85 | 2_2_0106DC85 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_010643A2 | 2_2_010643A2 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106F5A8 | 2_2_0106F5A8 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106B870 | 2_2_0106B870 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_0106AB20 | 2_2_0106AB20 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_01063D23 | 2_2_01063D23 |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Code function: 2_2_01063CA9 | 2_2_01063CA9 |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Code function: 19_2_02973600 | 19_2_02973600 |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Code function: 19_2_02975E37 | 19_2_02975E37 |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Code function: 19_2_029753D1 | 19_2_029753D1 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078EC078 | 22_2_078EC078 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078EC078 | 22_2_078EC078 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_07E342B8 | 22_2_07E342B8 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078E83D8 | 22_2_078E83D8 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078E83E8 | 22_2_078E83E8 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078E0006 | 22_2_078E0006 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078E0040 | 22_2_078E0040 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078E54A8 | 22_2_078E54A8 |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_078E54B8 | 22_2_078E54B8 |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000001.00000002.366908799.00000000009F8000.00000002.00000001.01000000.00000005.sdmp | Binary or memory string: OriginalFilenameSjxupcet.exeF vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000000.365818256.0000000000948000.00000002.00000001.01000000.00000005.sdmp | Binary or memory string: OriginalFilenameSjxupcet.exeF vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.552936489.000000000111A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.559121813.0000000003D82000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameOveyjvjwoht.dll" vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.558911567.0000000003C59000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000002.00000002.553950891.0000000001210000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe, 00000008.00000000.550768549.0000000000F58000.00000002.00000001.01000000.00000005.sdmp | Binary or memory string: OriginalFilenameSjxupcet.exeF vs 64AE5410F978DF0F48DCC67508820EA230C566967E002.exe |
| Source: unknown | Process created: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe "C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe" | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe "C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe" user | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | |
| Source: unknown | Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\iasnap\fontdrvhost.exe'" /rl HIGHEST /f | |
| Source: unknown | Process created: C:\Recovery\csrss.exe C:\Recovery\csrss.exe | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\comrepl\fontdrvhost.exe'" /rl HIGHEST /f | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "JRFdtWyAvbQxLlvO" /sc ONLOGON /tr "'C:\Recovery\JRFdtWyAvbQxLlvO.exe'" /rl HIGHEST /f | |
| Source: unknown | Process created: C:\Recovery\JRFdtWyAvbQxLlvO.exe C:\Recovery\JRFdtWyAvbQxLlvO.exe | |
| Source: C:\Recovery\csrss.exe | Process created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" user | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\System Volume Information\Chkdsk\SearchUI.exe'" /rl HIGHEST /f | |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Process created: C:\Recovery\JRFdtWyAvbQxLlvO.exe "C:\Recovery\JRFdtWyAvbQxLlvO.exe" user | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f | |
| Source: unknown | Process created: C:\System Volume Information\Chkdsk\SearchUI.exe C:\System Volume Information\Chkdsk\SearchUI.exe | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe' | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\csrss.exe' | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\iasnap\fontdrvhost.exe' | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: unknown | Process created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | |
| Source: unknown | Process created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\comrepl\fontdrvhost.exe' | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\JRFdtWyAvbQxLlvO.exe' | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\System Volume Information\Chkdsk\SearchUI.exe' | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Recovery\csrss.exe | Process created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" user | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe' | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PQCfAXDYbo.bat" | |
| Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | Process created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe" user | |
| Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe "C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe" user | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\csrss.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\iasnap\fontdrvhost.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\comrepl\fontdrvhost.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\JRFdtWyAvbQxLlvO.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\System Volume Information\Chkdsk\SearchUI.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe' | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PQCfAXDYbo.bat" | Jump to behavior |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f | Jump to behavior |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\iasnap\fontdrvhost.exe'" /rl HIGHEST /f | Jump to behavior |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\comrepl\fontdrvhost.exe'" /rl HIGHEST /f | Jump to behavior |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "JRFdtWyAvbQxLlvO" /sc ONLOGON /tr "'C:\Recovery\JRFdtWyAvbQxLlvO.exe'" /rl HIGHEST /f | Jump to behavior |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\System Volume Information\Chkdsk\SearchUI.exe'" /rl HIGHEST /f | Jump to behavior |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f | Jump to behavior |
| Source: C:\Recovery\csrss.exe | Process created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" user | Jump to behavior |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Process created: C:\Recovery\JRFdtWyAvbQxLlvO.exe "C:\Recovery\JRFdtWyAvbQxLlvO.exe" user | Jump to behavior |
| Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | Process created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe" user | |
| Source: C:\Recovery\csrss.exe | Process created: C:\Recovery\csrss.exe "C:\Recovery\csrss.exe" user | |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.12.unpack, I1y/u00357j.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.12.unpack, I1y/u00357j.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.6.unpack, I1y/u00357j.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
| Source: 8.0.64AE5410F978DF0F48DCC67508820EA230C566967E002.exe.400000.6.unpack, I1y/u00357j.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\64AE5410F978DF0F48DCC67508820EA230C566967E002.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Recovery\csrss.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Recovery\csrss.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Recovery\JRFdtWyAvbQxLlvO.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
| Source: C:\System Volume Information\Chkdsk\SearchUI.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
| Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
| Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
| Source: C:\Recovery\csrss.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Edit tour
64AE5410F978DF0F48DCC67508820EA230C566967E002.exe (PID: 5600 cmdline: 
powershell.exe (PID: 5784 cmdline: 
conhost.exe (PID: 416 cmdline: 
conhost.exe (PID: 3768 cmdline: 
WmiPrvSE.exe (PID: 924 cmdline: 
