Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/ |
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/Plugins/clip64.dll |
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/Plugins/clip64.dllndows.storage.dlll |
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3D88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.0000000003590000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php |
Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?scr=1 |
Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=1 |
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=18 |
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=1urn |
Source: rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/g9bkfkWf/index.phpk |
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/im |
Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.80.158.31/sP |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4734000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX |
Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_006FB219 |
0_2_006FB219 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_00715054 |
0_2_00715054 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0073B17B |
0_2_0073B17B |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0073C240 |
0_2_0073C240 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0073B29B |
0_2_0073B29B |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_007366F0 |
0_2_007366F0 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_00714865 |
0_2_00714865 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_00717843 |
0_2_00717843 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0072B8A3 |
0_2_0072B8A3 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0073AA29 |
0_2_0073AA29 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_006F4AF0 |
0_2_006F4AF0 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_00719BE5 |
0_2_00719BE5 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_00736B88 |
0_2_00736B88 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_006F4C70 |
0_2_006F4C70 |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_006F4E70 |
0_2_006F4E70 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00165054 |
2_2_00165054 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0018B17B |
2_2_0018B17B |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0018C240 |
2_2_0018C240 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0018B29B |
2_2_0018B29B |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_001866F0 |
2_2_001866F0 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00167843 |
2_2_00167843 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00164865 |
2_2_00164865 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0017B8A3 |
2_2_0017B8A3 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0018AA29 |
2_2_0018AA29 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00144AF0 |
2_2_00144AF0 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00186B88 |
2_2_00186B88 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00169BE5 |
2_2_00169BE5 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00144C70 |
2_2_00144C70 |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_00144E70 |
2_2_00144E70 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_6C833140 |
8_2_6C833140 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_6C8422C1 |
8_2_6C8422C1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B4C77F8 |
9_2_00007FFD9B4C77F8 |
Source: unknown |
Process created: C:\Users\user\Desktop\I7GcHDtUIF.exe "C:\Users\user\Desktop\I7GcHDtUIF.exe" |
|
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
|
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles |
|
Source: C:\Windows\System32\netsh.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
|
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Process created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: mstask.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: dui70.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: chartv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: atlthunk.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: windows.fileexplorer.common.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Section loaded: explorerframe.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: ifmon.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: mprapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasmontr.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: mfc42u.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: authfwcfg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwpolicyiomgr.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: firewallapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwbase.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: dhcpcmonitor.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: dot3cfg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: dot3api.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: onex.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: eappcfg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: eappprxy.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: fwcfg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: hnetmon.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: netshell.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: netsetupapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: netiohlp.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: nettrace.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: nshhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: httpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: nshipsec.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: activeds.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: polstore.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: winipsec.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: adsldpc.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: adsldpc.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: nshwfp.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: p2pnetsh.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: p2p.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: rpcnsh.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wcnnetsh.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wlanapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: whhelper.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wlancfg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wshelper.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wevtapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wwancfg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wwapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wcmapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: rmclient.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: mobilenetworking.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: peerdistsh.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: ktmw32.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: mprmsg.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kdscli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: wininet.dll |
|
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0071136C push ecx; ret |
0_2_0071137F |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Code function: 0_2_0070049B push ds; retf 0000h |
0_2_0070049F |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0016136C push ecx; ret |
2_2_0016137F |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Code function: 2_2_0015049B push ds; retf 0000h |
2_2_0015049F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 8_2_6C8375A6 push ecx; ret |
8_2_6C8375B9 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B4B28FA push ebx; iretd |
9_2_00007FFD9B4B290A |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B4B2785 push ebx; iretd |
9_2_00007FFD9B4B290A |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58BBCA push ss; ret |
9_2_00007FFD9B58BBD5 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B584BCA push ss; ret |
9_2_00007FFD9B584BCC |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B584BD0 push ss; ret |
9_2_00007FFD9B584BD9 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58B2CA push esi; retf |
9_2_00007FFD9B58B2CB |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58CACC push eax; retf 0000h |
9_2_00007FFD9B58CAD5 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B5812CF push ss; ret |
9_2_00007FFD9B5812D1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58CAA8 push 140000C9h; retf 0000h |
9_2_00007FFD9B58CAB1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58CA8A push esi; retf |
9_2_00007FFD9B58CA8B |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58B260 push ss; ret |
9_2_00007FFD9B58B263 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B586340 push eax; retf |
9_2_00007FFD9B58634B |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B584B05 push ss; ret |
9_2_00007FFD9B584B0B |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B5862DE push ss; ret |
9_2_00007FFD9B5862E0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58AA1B push ss; ret |
9_2_00007FFD9B58AA1E |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58221A push esi; retf |
9_2_00007FFD9B58221B |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B5888B2 push esi; retf |
9_2_00007FFD9B5888B3 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58185F push ss; ret |
9_2_00007FFD9B581861 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B589942 push ss; ret |
9_2_00007FFD9B589944 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B5837A8 push eax; retf |
9_2_00007FFD9B5837B3 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B582F98 push ss; ret |
9_2_00007FFD9B582F9A |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58CF60 push eax; iretd |
9_2_00007FFD9B58CF61 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58285C push ss; ret |
9_2_00007FFD9B582865 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B582856 push ss; ret |
9_2_00007FFD9B582858 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B58AFFA push ss; ret |
9_2_00007FFD9B58AFFD |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 9_2_00007FFD9B586E64 push ss; ret |
9_2_00007FFD9B586E6C |
Source: C:\Users\user\Desktop\I7GcHDtUIF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.xlsx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\netsh.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: I7GcHDtUIF.exe, type: SAMPLE |
Source: Yara match |
File source: 8.2.rundll32.exe.6c830000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.I7GcHDtUIF.exe.6f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 14.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.I7GcHDtUIF.exe.6f0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1659071184.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000E.00000000.2288882399.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000E.00000002.2290214428.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.1664512178.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.1667726403.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.1692138583.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000000.1689588542.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED |